Documente Academic
Documente Profesional
Documente Cultură
Arkadii Slinko
Algebra for
Applications
Cryptography, Secret Sharing,
Error-Correcting, Fingerprinting,
Compression
Springer Undergraduate Mathematics Series
Advisory Board
M.A.J. Chaplain, University of Dundee, Dundee, Scotland, UK
K. Erdmann, University of Oxford, Oxford, England, UK
A. MacIntyre, Queen Mary, University of London, London, England, UK
E. Süli, University of Oxford, Oxford, England, UK
M.R. Tehranchi, University of Cambridge, Cambridge, England, UK
J.F. Toland, University of Cambridge, Cambridge, England, UK
More information about this series at http://www.springer.com/series/3423
Arkadii Slinko
123
Arkadii Slinko
Department of Mathematics
The University of Auckland
Auckland
New Zealand
Mathematics Subject Classification: 11A05–11A51, 11C08, 11C20, 11T06, 11T71, 11Y05, 11Y11,
11Y16, 20A05, 20B30, 12E20, 14H52, 14G50, 68P25, 68P30, 94A60, 94A62
This book originated from my lecture notes for the one-semester course which I
have given many times at The University of Auckland since 1998. The goal of that
course and this book is to show the incredible power of algebra and number theory
in the real world. It does not advance far in theoretical algebra, theoretical number
theory or combinatorics. Instead, we concentrate on concrete objects like groups of
points on elliptic curves, polynomial rings and finite fields, study their elementary
properties and show their exceptional applicability to various problems in infor-
mation handling. Among the applications are cryptography, secret sharing,
error-correcting, fingerprinting and compression of information.
Some chapters of this book—especially the number-theoretic and cryptographic
ones—use GAP to illustrate the main ideas. GAP is a system for computational
discrete algebra, which provides a programming language, a library of thousands of
functions implementing algebraic algorithms, written in the GAP language, as well
as large data libraries of algebraic objects.
If you are using this book for self-study, then studying a certain topic, familiarise
yourself with the corresponding section of Appendix A, where you will find
detailed instructions on how to use GAP for this particular topic. As GAP will be
useful for most topics, it is not a good idea to skip it completely.
I owe a lot to Robin Christian who in 2006 helped me to introduce GAP to my
course and proofread the lecture notes. The introduction of GAP has been the
biggest single improvement to this course. The initial version of the GAP Notes,
which have now been developed into Appendix A, were written by Robin. Stefan
Kohl, with the assistance of Eamonn O’Brien, has kindly provided us with two
programs for GAP that allowed us to calculate in groups of points on elliptic curves.
I am grateful to Paul Hafner, Primož Potočnic, Jamie Sneddon and especially to
Steven Galbraith who in various years were members of the teaching team for this
course and suggested valuable improvements or contributed exercises.
Many thanks go to Shaun White who did a very thorough job proofreading part
of the text in 2008 and to Steven Galbraith who improved the section on cryp-
tography in 2009 and commented on the section on compression. However, I bear
ix
x Preface
the sole responsibility for all mistakes and misprints in this book. I would be most
obliged if you report any noticed mistakes and misprints to me.
I hope you will enjoy this book as much as I enjoyed writing it.
1 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Natural Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Basic Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.2 Divisibility and Primes . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3 Factoring Integers. The Sieve of Eratosthenes. . . . . . . 9
1.2 The Euclidean Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.1 Greatest Common Divisor and Least Common
Multiple. . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... 14
1.2.2 Extended Euclidean Algorithm. Chinese
Remainder Theorem . . . . . . . . . . . . . . . . . . . . . . . . 17
1.3 Fermat’s Little Theorem and Its Generalisations . . . . . . . . . . 22
1.3.1 Euler’s φ-Function . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.3.2 Congruences. Euler’s Theorem . . . . . . . . . . . . . . . . . 24
1.4 The Ring of Integers Modulo n. The Field Zp . . . . . . . . . . . . 27
1.5 Representation of Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 32
2 Cryptology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.1 Classical Secret-Key Cryptology . . . . . . . . . . . . . . . . . . . . . . 38
2.1.1 The One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1.2 An Affine Cryptosystem . . . . . . . . . . . . . . . . . . . . . 41
2.1.3 Hill’s Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2 Modern Public-Key Cryptology . . . . . . . . . . . . . . . . . . . . . . 47
2.2.1 One-Way Functions and Trapdoor Functions . . . . . . . 47
2.3 Computational Complexity. . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.3.1 Orders of Magnitude . . . . . . . . . . . . . . . . . . . . . . . . 50
2.3.2 The Time Complexity of Several Number-Theoretic
Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.4 The RSA Public-Key Cryptosystem . . . . . . . . . . . . . . . . . . . 58
2.4.1 How Does the RSA System Work?. . . . . . . . . . . . . . 58
2.4.2 Why Does the RSA System Work?. . . . . . . . . . . . . . 61
2.4.3 Pseudoprimality Tests . . . . . . . . . . . . . . . . . . . . . . . 64
xi
xii Contents
3 Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 73
3.1 Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 73
3.1.1 Composition of Mappings. The Group
of Permutations of Degree n. . . . . . . . . . . . . . . . . . . 73
3.1.2 Block Permutation Cipher . . . . . . . . . . . . . . . . . . . . 78
3.1.3 Cycles and Cycle Decomposition . . . . . . . . . . . . . . . 79
3.1.4 Orders of Permutations . . . . . . . . . . . . . . . . . . . . . . 81
3.1.5 Analysis of Repeated Actions . . . . . . . . . . . . . . . . . . 84
3.1.6 Transpositions. Even and Odd . . . . . . . . . . . . . . . . . 86
3.1.7 Puzzle 15. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3.2 General Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.1 Definition of a Group. Examples . . . . . . . . . . . . . . . 93
3.2.2 Powers, Multiples and Orders. Cyclic Groups. . . . . . . 95
3.2.3 Isomorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.4 Subgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.3 The Abelian Group of an Elliptic Curve . . . . . . . . . . . . . . . . 103
3.3.1 Elliptic Curves. The Group of Points of an Elliptic
Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.3.2 Quadratic Residues and Hasse’s Theorem . . . . . . . . . 109
3.3.3 Calculating Large Multiples Efficiently . . . . . . . . . . . 112
3.4 Applications to Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.1 Encoding Plaintext . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.2 Additive Diffie–Hellman Key Exchange
and the Elgamal Cryptosystem . . . . . . . . . . . . . . . .. 115
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 116
4 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1 Introduction to Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1.1 Examples and Elementary Properties of Fields . . . . . . 117
4.1.2 Vector Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.3 The Cardinality of a Finite Field. . . . . . . . . . . . . . . . 124
4.2 The Multiplicative Group of a Finite Field Is Cyclic . . . . . . . . 125
4.2.1 Lemmas on Orders of Elements . . . . . . . . . . . . . . . . 126
4.2.2 Proof of the Main Theorem . . . . . . . . . . . . . . . . . . . 128
4.2.3 Discrete Logarithms . . . . . . . . . . . . . . . . . . . . . . . . 129
4.3 The Elgamal Cryptosystem Revisited . . . . . . . . . . . . . . . . . . 130
5 Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.1 The Ring of Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
5.1.1 Introduction to Polynomials . . . . . . . . . . . . . . . . . . . 133
5.1.2 Lagrange Interpolation. . . . . . . . . . . . . . . . . . . . . . . 138
Contents xiii
The theory of numbers is the oldest and the most fundamental mathematical disci-
pline. Despite its old age, it is one of the most active research areas of mathematics
due to two main reasons. Firstly, the advent of fast computers has changed Number
Theory profoundly and made it in some ways almost an experimental discipline.
Secondly, new important areas of applications such as cryptography have emerged.
Some of the applications of Number Theory will be considered in this course.
proofs we use all of them since one may be much more convenient to use than the
others.
Example 1.1.1 On planet Tralfamadore there are only 3 cent and 5 cent coins in
circulation. Prove that an arbitrary sum of n ≥ 8 cents can be paid (provided one has
a sufficient supply of coins).
Solution: Suppose that this statement is not true and there are positive integers
m ≥ 8 for which the sum of m cents cannot be paid by a combination of 3 cent and
5 cent coins. By the Least Integer Principle there is a smallest such positive integer
s (the minimal counterexample). It is clear that s is not 8, 9 or 10 as 8 = 3 + 5,
9 = 3 + 3 + 3, 10 = 5 + 5. Thus s − 3 ≥ 8 and, since s was minimal, the sum of
s − 3 cents can be paid as required. Adding to s − 3 cents one more 3 cent coin we
obtain that the sum of s cents can be also paid, which is a contradiction.
1 1 1
+ 2 + · · · + 2 < 2.
12 2 n
Solution: Denote the left-hand side of the inequality by F(n). We have a sequence
of statements A1 , A2 , . . . , An , . . . to be proved, where An is F(n) < 2, and we are
going to use the Principle of Mathematical Induction to prove all of them.
The statement A1 reduces to
1
< 2,
12
which is true. Now we have to derive the validity of An+1 from the validity of An ,
that is, to prove that
1
F(n) < 2 implies F(n) + < 2.
(n + 1)2
Oops! It is not possible because, while we do know that F(n) < 2, we do not have
the slightest idea how close F(n) is to 2, and we therefore cannot be sure that there
1
will be room for (n+1) 2 . What shall we do?
Surprisingly, the stronger inequality
1 1 1 1
2
+ 2 + ··· + 2 ≤ 2 −
1 2 n n
1.1 Natural Numbers 3
1 1
=2− ,
12 1
and
1 1 1
F(n) ≤ 2 − implies F(n) + ≤2− (1.1)
n (n + 1)2 n+1
is now true. Due to the induction hypothesis, which is F(n) ≤ 2 − n1 , to show (1.1)
it would be sufficient to show that
1 1 1
2− + 2
≤2− .
n (n + 1) n+1
This is equivalent to
1 1 1 1
≤ − = ,
(n + 1)2 n n+1 n(n + 1)
which is true.
This example shows that we shouldn’t expect that someone has already prepared
the problem for us so that the Principle of Mathematical Induction can be applied
directly.
The reader needs to be familiar with the induction principles. The exercises below
concentrate on the use of the Least Integer Principle.
Exercises
is denoted by Z.
Theorem 1.1.1 (Division with Remainder) Given any integers a, b, with a > 0,
there exist unique integers q, r such that
b = qa + r, and 0 ≤ r < a.
In this case we also say that q and r are, respectively, the quotient and the remainder
of b when it is divided by a. It is often said that q and r are the quotient and the
remainder of dividing a into b. The notation r = b mod a is often used. You can
find q and r by using long division, a technique which most students learn at school.
If you want to find q and r using a calculator, use it to divide b by a. This will give
you a number with decimals. Discard all the digits to the right of the decimal point
to obtain q. Then find r as a − bq.
Example 1.1.3 (a) 35 = 3 · 11 + 2, (b) −51 = (−8) · 7 + 5; so that 2 = 35 mod 11
and 5 = −51 mod 7.
Definition 1.1.1 An integer b is divisible by an integer a = 0 if there exists an
integer c such that b = ac, that is, we have b mod a = 0. We also say that a is a
divisor of b and write a|b.
Let n be a positive integer. Let us denote by d(n) the number of positive divisors
of n. It is clear that 1 and n are always divisors of any number n which is greater
than 1. Thus we have d(1) = 1 and d(n) ≥ 2 for n > 1.
Definition 1.1.2 A positive integer n is called a prime if d(n) = 2. An integer n > 1
which is not prime is called a composite number.
Example 1.1.4 (a) 2, 3, 5, 7, 11, 13 are primes; (b) 1, 4, 6, 8, 9, 10 are not primes;
(c) 4, 6, 8, 9, 10 are composite numbers.
A composite positive integer n can always be represented as a product of two
other positive integers different from 1 and n. Indeed, since d(n) > 2, there is a
divisor n 1 such that 1 < n 1 < n. But then n 2 = n/n 1 also satisfies 1 < n 2 < n and
n = n 1 n 2 . We are ready to prove
Theorem 1.1.2 (The Fundamental Theorem of Arithmetic) Every positive integer
n > 1 can be expressed as a product of primes (with perhaps only one factor), that is
Proof Let us prove first that any number n > 1 can be decomposed into a product
of primes. We will use the Principle of Strong Mathematical Induction. If n = 2, the
decomposition is trivial and we have only one factor, which is 2 itself. Let us assume
that for all positive integers which are less than n, a decomposition into a product
of primes exists. If n is a prime, then n = n is the decomposition required. If n is
composite, then n = n 1 n 2 , where n > n 1 > 1 and n > n 2 > 1 and by the induction
hypothesis there are prime decompositions n 1 = p1 . . . pr and n 2 = q1 . . . qs for n 1
and n 2 . Then we may combine them
n = n 1 n 2 = p1 . . . pr q1 . . . qs
n = p1 p2 . . . pr = q1 q2 . . . qs , (1.2)
where pi and q j are primes. By rearranging the order of the p’s and the q’s, if
necessary, we may assume that
p1 ≤ p2 ≤ . . . ≤ pr , q1 ≤ q2 ≤ . . . ≤ qs .
It is impossible that p1 = q1 , for, if it were the case, we would cancel the first factor
from each side of Eq. (1.2) and obtain two essentially different prime decompositions
for the number n/ p1 , which is smaller than n, contradicting the choice of n. Hence
either p1 < q1 or q1 < p1 . Without loss of generality we suppose that p1 < q1 .
We now form the integer
n = n − p1 q 2 q 3 . . . q s . (1.3)
n = ( p1 p2 . . . pr ) − ( p1 q2 . . . qs ) = p1 ( p2 . . . pr − q2 . . . qs ), (1.4)
Since n is a positive integer, which is smaller than n and greater than 1, the prime
decomposition for n must be unique, apart from the order of the factors. This means
that if we complete prime factorisations (1.4) and (1.5) the result will be identical.
From (1.4) we learn that p1 is a factor of n and must appear as a factor in decompo-
sition (1.5). Since p1 < q1 ≤ qi , we see that p1 = qi , i = 2, 3, . . . , s. Hence, it is a
factor of q1 − p1 , i.e., q1 − p1 = p1 m or q1 = p1 (m + 1), which is impossible as q1
is prime and m + 1 ≥ 2. This contradiction completes the proof of the Fundamental
Theorem of Arithmetic. �
gap> FactorsInt(396);
[ 2, 2, 3, 3, 11 ]
gap> FactorsInt(17);
[ 17 ]
GAP conveniently remembers all 168 primes not exceeding 1000. They are stored
in the array Primes (in Sect. 9.1.3 all the primes in this array are listed). GAP can
also check if a particular number is prime or not.
gap> IsPrime(2ˆ(2ˆ4)-1);
false
gap> IsPrime(2ˆ(2ˆ4)+1);
true
What GAP cannot answer is whether or not there are infinitely many primes. This is
something that can only be proved.
Proof Suppose there were only finitely many primes p1 , p2 , . . . , pr . Then form the
integer
n = 1 + p1 p2 . . . pr .
1 Euclid of Alexandria (about 325 BC–265 BC) is one of the most prominent educators of all
time. He is best known for his treatise on mathematics The Elements which is divided into 13
books: the first six on geometry, three on number theory, one is devoted to Eudoxus’s theory of
irrational numbers and the last three to solid geometry. Euclid is not known to have made any
original discoveries and The Elements are based on the work of the people before him such as
Eudoxus, Thales, Hippocrates and Pythagoras. Over a thousand editions of this work have been
published since the first printed version appeared in 1482. Very little, however, is known about his
life. The enormity of the work attributed to Euclid even led some researchers to suggest that The
Elements was written by a team of mathematicians at Alexandria who took the name Euclid from
the historical character who lived 100 years earlier.
1.1 Natural Numbers 7
Since n > pi for all i, it must be composite. Let q be the smallest prime factor of n.
As p1 , p2 , . . . , pr represent all existing primes, then q is one of them, say q = p1
and n = p1 m. Now we can write
1 = n − p1 p2 . . . pr = p1 m − p1 p2 . . . pr = p1 (m − p2 . . . pr ).
gap> F5:=2ˆ(2ˆ5)+1;
4294967297
gap> IsPrime(F5);
false
gap> FactorsInt(F5);
[ 641, 6700417 ]
Since then it has been shown that all numbers F5 , F6 , . . . , F32 are composite. The
status of F33 remains unknown (December, 2014). It is also unknown whether there
are infinitely many prime Fermat numbers.
Many early scholars felt that the numbers of the form 2n − 1 were prime for all
prime values of n, but in 1536 Hudalricus Regius showed that 211 − 1 = 2047 =
23 · 89 was not prime. The French monk Marin Mersenne (1588–1648) gave in
the preface to his Cogitata Physica-Mathematica (1644) a list of positive integers
n < 257 for which the numbers 2n − 1 were prime. Several numbers in that list were
incorrect. By 1947 Mersenne’s range, n < 257, had been completely checked and it
was determined that the correct list was:
2 Leonhard Euler (1707–1783) was a Swiss mathematician who made enormous contributions in
fields as diverse as infinitesimal calculus and graph theory. He introduced much of the modern
mathematical terminology and notation. [3] He is also renowned for his work in mechanics, fluid
dynamics, optics, astronomy, and music theory.
8 1 Integers
project led by Dr. Curtis Cooper.3 The new prime number is 257,885,161 − 1; it has
17,425,170 digits. This is the largest known prime to date. We can check with GAP
if the number of digits of this prime was reported correctly:
gap> n:=57885161;;
gap> 2ˆn-1;
<integer 581...951 (17425170 digits)>
Exercises
1. Write a GAP program that calculates the 2007th prime p2007 . Calculate p2007 .
2. Write a GAP program that finds the smallest k for which
n = p1 p 2 . . . p k + 1
3 See http://www.mersenne.org/various/57885161.htm.
1.1 Natural Numbers 9
None of the ideas we have learned up to now will help us to find the prime factorisation
of a particular integer n. Finding prime factorisations is not an easy task, and there
are no simple ways to do so. The theorem that we will prove in this section is of
some help since it tells us where to look for the smallest prime divisor of n.
Firstly, we have to define the following useful function.
Definition 1.1.3 Let x be a real number. By x we denote the largest integer n such
that n ≤ x. The integer x is called the integer part of x or the floor of x.
√
Example 1.1.6 π = 3, 19 = 4, −2.1 = −3.
Theorem√1.1.4
The smallest prime divisor of a composite number n is less than or
equal to n .
Proof
√ We prove first that n has a divisor which is greater than 1 but not greater than
√
is composite, we have n = d1 d2 , where d1 > 1 and d2 > 1. If d1 > n
n. As n √
and d2 > n, then √
n = d1 d2 > ( n)2 = n,
√
which is impossible. Suppose,
√ d1 ≤ n. Then any of the prime divisors of d1 will
be less than or equal to n. But every divisor of d1 is also a divisor
√ of n, thus the
smallest prime√divisor p of n will satisfy the inequality p ≤ n. Since p is an
integer, p ≤ n. �
Now we may demonstrate a beautiful and efficient method of listing all primes
up to x, called the Sieve of Eratosthenes.
Algorithm (The Sieve of Eratosthenes): To find all the primes up to x begin
by writing down all the integers from 2 to x in ascending order. The first number
on the list is 2. Leave it there and cross out all other multiples of 2. Then use the
following iterative procedure. Let d be the next√smallest number on the list that is
not eliminated.
√ Leave d on the list and, if d ≤ x, cross out all other multiples of
it. If d > x, then stop. The prime numbers up to x are those which have not been
crossed out.
10 1 Integers
2 3 5 7
11 13 17 19
23 29
31 37
41 43 47
53 59
61 67
71 73 79
83 89
97
The numbers in this table are all primes not exceeding 100. Please√note that we
had to cross out only multiples of the primes from the first row since 100 = 10.
The simplest algorithm for factoring integers is Trial Division.
Algorithm (Trial Division): Suppose a sufficiently long list of primes is available.
Given a positive√ integer n, divide it with remainder by all primes on the list which
do not exceed n, starting from 2. The first prime which divides n (call this prime
p1 ) will be the smallest prime divisor of n. In this case n is composite. Calculate
√
n 1 = n/ p1 and repeat the procedure. If none of the primes, which do not exceed n,
divide n, then n is prime, and its prime factorisation is trivial.
Using the list of primes stored by GAP in array Primes we can apply the Trial
Division algorithm to factorise numbers not exceeding one million. Practically, it is
virtually impossible to completely factor a large number of about 100 decimal digits
only with Trial Division unless it has small prime divisors. Trial Division is very fast
for finding small factors (up to about 106 ) of n.
It is important to know how many operation will be needed to factorise n. If we
do not know how many operations are needed, it is impossible to estimate the time it
would take to use the Trial Division Algorithm in the worst possible case—the case
in which small factors are absent.
Let π(x) denote the number of primes which do not exceed x. Because of the
irregular occurrence of the primes, we cannot expect a simple formula for π(x). The
following simple program calculates this number for x = 1000.
gap> n:=1000;;
gap> piofx:=0;;
gap> p:=2;;
1.1 Natural Numbers 11
As we see there are 168 primes not exceeding 1000. GAP stores them in an array
Primes. For example, the command
gap> Primes[100];
541
ln x
lim π(x) = 1, (1.6)
x→∞ x
where ln x is the natural logarithm, to base e.
The proof is beyond the scope of this book. The first serious attempt towards prov-
ing this theorem (which was long conjectured to be true) was made by Chebyshev4
who proved (1848–1850) that if the limit exists at all, then it is necessarily equal to
one. The existence of the limit (1.6) was proved independently by Hadamard5 and
de la Vallée-Poussin6 with both papers appearing almost simultaneously in 1896.
Corollary 1.1.1 For a large positive integer n there exist approximately n/ ln n
primes among the numbers 1, 2, . . . , n. This can be expressed as
n
π(n) ∼ , (1.7)
ln n
where ∼ means approximately equal for large n. (In Sect. 2.3 we will give it a precise
meaning.)
4 Pafnutii Lvovich Chebyshev (1821–1894) was a Russian mathematician who is largely remem-
bered for his investigations in number theory. Chebyshev is also famous for the orthogonal polyno-
mials he invented. He had a strong interest in mechanics as well.
5 Jacques Salomon Hadamard (1865–1963) was a French mathematician whose most important
result is the prime number theorem which he proved in 1896. He worked on entire functions and
zeta functions and became famous for introducing Hadamard matrices and Hadamard transforms.
6 Charles Jean Gustave Nicolas Baron de la Vallée-Poussin (1866–1962) is best known for his
proof of the prime number theorem and his major work Cours d’Analyse. He was additionally known
for his writings about the zeta function, Lebesgue and Stieltjes integrals, conformal representation,
and algebraic and trigonometric series.
12 1 Integers
√
Example 1.1.7 Suppose n = 999313. Then n = 999. Using (1.7) we approxi-
mate π(999) as 999
6.9 ≈ 145. The real value of π(999), as we know, is 168. The number
999 is too small for the approximation in (1.7) to be good.
So, if we try to find a minimal prime divisor of n using Trial Division, then, in the worst
case scenario, we might need to perform 168 divisions. However n = 7 · 142759,
where the latter number is prime. So 7 will be discovered after four divisions only and
factored out but we will need to perform 74 additional divisions to√ prove that 142759
is prime by dividing 142759 by all primes smaller than or equal to 142759 = 377.
The following two facts are also related to the distribution of primes. Both facts
are useful to know and easy to remember.
Theorem 1.1.6 (Bertrand’s Postulate) For each positive integer n > 1 there is a
prime p such that n < p < 2n − 2.
In 1845 Bertrand7 conjectured that there is at least one prime between n and 2n −2
for every n > 3 and checked it for numbers up to at least 2 · 106 . This conjecture,
similar to one stated by Euler one hundred years earlier, was proved by Chebyshev
in 1850.
Theorem 1.1.7 There are arbitrarily large gaps between consecutive primes.
Proof This follows from the fact that, for any positive integer n, all numbers
n! + 2, n! + 3, . . . , n! + n
Exercises
1. (a) Use the Sieve of Eratosthenes to find the prime numbers up to 210. Hence
calculate π(210) exactly.
(b) Calculate the estimate that the Prime Number Theorem gives for π(210) and
compare your result with the exact value of π(210) obtained in (a).
2. Convince yourself that the following program implements the Sieve of
Eratosthenes
7 Joseph Louis Francois Bertrand (1822–1900), born and died in Paris, was a professor at the
École Polytechnique and Collège de France. He was a member of the Paris Academy of Sciences
and was its permanent secretary for twenty-six years. Bertrand made a major contribution to group
theory and published many works on differential geometry and on probability theory.
1.1 Natural Numbers 13
n:=2*10ˆ3;;
set:=Set([2..n]);;
p:=2;;
while p<RootInt(n)+1 do
k:=2;;
while k*p<n+1 do
RemoveSet(set,k*p);
k:=k+1;
od;
p:=NextPrimeInt(p);
od;
n:=10ˆ6;
set:=Set([1..n]);
p:=3;
while p<n+1 do;
k:=1;
while k*p<n+1 do;
RemoveSet(set,k*p);
k:=k+1;
od;
p:=NextPrimeInt(p);
od;
set;
where pi are distinct primes and αi are positive integers. How can we find all divisors
of n? Let d be a divisor of n. Then n = dm, for some m, thus
Since the prime factorisation of n is unique, d cannot have in its prime factorisation
a prime which is not among the primes p1 , p2 , . . . , pr . Also, a prime pi in the prime
factorisation of d cannot have an exponent greater than αi . Therefore
β β
d = p1 1 p2 2 . . . prβr , 0 ≤ βi ≤ αi , i = 1, 2, . . . , r. (1.9)
It is important to note that Eq. (1.10) does not give us a complete algorithm for
the calculation of d(n) as we need to run the factorisation algorithm first. No direct
method of calculation is known.
Definition 1.2.1 The numbers in, where i = 0, ±1, ±2, . . . , are called multiples
of n.
where k has none of the primes p1 , p2 , . . . , pr in its prime factorisation. The number
of multiples of n is infinite.
Let a and b be two positive integers. If d is a divisor of a and also a divisor of b,
then we say that d is a common divisor of a and b. As there are only a finite number
of common divisors, there is the greatest common divisor, denoted by gcd(a, b). The
number m is said to be a common multiple of a and b if m is a multiple of a and also
1.2 The Euclidean Algorithm 15
a multiple of b. Among all common multiples there is a minimal one (Least Integer
Principle!). It is called the least common multiple and it is denoted by lcm(a, b).
In the decomposition (1.8), all exponents were positive. However, sometimes it
is convenient to allow some exponents to be 0 as in the formulation of the following
theorem.
be two arbitrary positive integers, where αi ≥ 0 and βi ≥ 0. (We could assume that
a and b are expressed using the same primes p1 , p2 , . . . , pr because we allowed
some exponents to be 0.) Then
and
max(α1 ,β1 ) max(α2 ,β2 )
lcm(a, b) = p1 p2 ... prmax(αr ,βr ) . (1.12)
Moreover,
gcd(a, b) · lcm(a, b) = a · b. (1.13)
Proof Formulas (1.11) and (1.12) follow from our description of common divi-
sors and common multiples. To prove (1.13) we have to notice that min(αi , βi ) +
max(αi , βi ) = αi + βi . �
Theorem 1.2.2 gives us an algorithm for calculating the greatest common divisor.
However, it depends on the factorisation algorithm, which is computationally difficult
using existing methods. It is suspected but has not yet been proved that no easy
algorithms for prime factorisation exist. So it is desirable in any number theoretic
algorithm to avoid factorisation of the numbers involved. The algorithm given above
for finding the greatest common divisor cannot be used unless prime factorisation has
already been done. Fortunately, the greatest common divisor gcd(a, b) of numbers
a and b can be found without knowing the prime factorisations of a and b. Such
an algorithm will be presented below. It was known to Euclid; he could even have
been the first to have discovered it. The algorithm is based on the following simple
observation.
16 1 Integers
Now to the algorithm. The idea of it is clear: start with the pair (a, b) for which
the greatest common divisor is sought, and replace it with a “smaller” pair with the
same greatest common divisor. Repeat the process (if necessary) until the greatest
common divisor is easily seen.
Theorem 1.2.3 (The Euclidean Algorithm) Let a and b be positive integers. We use
the division algorithm several times to find:
a = q1 b + r 1 , 0 < r1 < b,
b = q2 r 1 + r 2 , 0 < r2 < r1 ,
r 1 = q3 r 2 + r 3 , 0 < r3 < r2 ,
..
.
rs−2 = qs rs−1 + rs , 0 < rs < rs−1 ,
rs−1 = qs+1 rs .
Example 1.2.2 Let a = 321, b = 843. Find the greatest common divisor gcd(a, b).
The Euclidean algorithm yields
321 · 843
and therefore gcd(321, 843) = 3 and lcm(321, 843) = = 107 · 843 =
3
90201.
1.2 The Euclidean Algorithm 17
Exercises
1. How many divisors does the number 22 · 33 · 44 · 55 have? (No GAP, please.)
2. How many divisors does the number 123456789 have?
3. Find all common divisors of 10650 and 6750.
4. (a) Find the greatest common divisor and the least common multiple of m =
24 · 32 · 57 · 112 and n = 22 · 54 · 72 · 113 .
(b) Use GAP to check the identity lcm(m, n) · gcd(m, n) = m · n.
5. Find all positive integers n ≤ 10000 with exactly 33 distinct positive divisors.
6. Calculate d(d(246246 )), where d(n) is the number of divisors of n.
7. Show that gcd(a, b) = gcd(a, a − b).
8n + 13
8. Show that the fraction is in lowest possible terms for every n ≥ 1.
13n + 21
9. Suppose two positive integers a and b are relatively prime.
(a) Prove that gcd(a 2 , a + b) = 1.
(b) Suppose a +b and a 2 +b2 are not relatively prime. Find the greatest common
divisor of this pair and give an example of two such integers.
10 Show that any two distinct Fermat numbers are coprime. (Use Exercise 4 of
Sect. 1.1.1.)
11 Use Fermat numbers to give an alternative proof that the number of primes is
infinite.
Given two integers a and b we can consider all their possible linear combinations
k1 a + k2 b, where k1 , k2 ∈ Z. Let us denote this set by <a, b>. We note that a and b
belong to this set since a = 1 · a + 0 · b and b = 0 · a + 1 · b. We also note that when
we add two numbers from <a, b>, even with some coefficients, we always remain
in <a, b>. Indeed, suppose we have linear combinations k1 a + k2 b and k1 a + k2 b.
Then
u(k1 a + k2 b) + v(k1 a + k2 b) = (uk1 + vk1 )a + (uk2 + vk2 ),
Theorem 1.2.4 Let a and b be positive integers. Then there exist integers m and n
such that
gcd(a, b) = ma + nb. (1.14)
The numbers m and n in (1.14) are not unique, moreover there exist infinitely
many such pairs. However, sometimes, knowing even one pair of such numbers is
more important than knowing the greatest common divisor itself. One pair of numbers
m and n satisfying (1.14) can be easily obtained from the Euclidean algorithm by back
substitution. The following theorem provides us with a convenient way of calculating
them. It also gives an alternative proof of the existence of m and n based on Linear
Algebra.
Theorem 1.2.5 (The Extended Euclidean Algorithm) Let us write the following
matrix with two rows R1 , R2 , and three columns C1 , C2 , C3 :
R1 a10
[C1 C2 C3 ] = = .
R2 b01
Proof Note that C1 = aC2 +bC3 . In Linear Algebra you have learned that elementary
row operations do not change linear relationships between columns. Since new rows
were obtained by means of elementary row operations on the existing rows, the
relationships between the columns of C1 , C2 , C3 must be exactly the same as those
between the columns of C1 , C2 , C3 (see Sect. 10.1 of the Appendix for justification).
Thus we conclude that C1 = aC2 + bC3 . In particular, rs = ma + nb. �
Example 1.2.3 Let a = 321, b = 843. Find a linear presentation of the greatest
common divisor in the form gcd(a, b) = ma + nb.
The Euclidean algorithm on these numbers was performed in Example 1.2.2 and
we know that gcd(321, 843) = 3 and all the quotients obtained at each division. The
Extended Euclidean algorithm yields
1.2 The Euclidean Algorithm 19
321 1 0
843 0 1 0
321 1 0 2
201 −2 1 1
120 3 −1 1
81 −5 2 1
39 8 −3 2
3 −21 8 13
where for convenience of performing row operations the quotients are placed on
the right of the bar. Thus we obtain the linear presentation gcd(321, 843) = 3 =
(−21) · 321 + 8 · 843. So m = −21 and n = 8.
The properties of relatively prime numbers gathered in the following are often
used.
which implies min(αi , βi ) = 0 for all i = 1, 2, . . . , r . This means that either the
prime pi does not enter the prime factorisation of a or it does not enter the prime
factorisation of b. Thus a and b do not have primes in common. This proves (a).
Let us prove (b). As we know from (a) the numbers a and b do not have primes
in common in their prime factorisations. Hence
β β
a = p1α1 p2α2 . . . prαr , b = q1 1 q2 2 . . . qsβs ,
β β β
Since the prime factorisation is unique k must be divisible by q1 1 q2 2 . . . qs s , which
is b, and m must be divisible by p1α1 p2α2 . . . prαr , which is a. As a result, c is divisible
by ab,
20 1 Integers
Due to the uniqueness of the prime factorisation of ac the number c must be divisible
β β β
by q1 1 q2 2 . . . qs s which is b.
Now (d) follows from Theorem 1.2.5. �
The following result is extremely important. Its author is not known exactly but
it could be Sun Tzu (or Sun Zi)8 in whose book it was first mentioned.
Theorem 1.2.6 (The Chinese Remainder Theorem) Let a and b be two relatively
prime numbers, 0 ≤ r < a and 0 ≤ s < b. Then there exists a unique number N
such that 0 ≤ N < ab and
Proof Let us prove, first, that there exists at most one integer N with the conditions
required. Assume, on the contrary, that for two integers N1 and N2 we have 0 ≤
N1 < ab, 0 ≤ N2 < ab and
Without loss of generality let us assume that N1 > N2 . Then the number M =
N1 − N2 satisfies 0 ≤ M < ab and
r − s = (r − s)ma + (r − s)nb = m a + n b.
N = r − m a = s + n b.
8 Sun Tzu (3rd–5th century AD) (or Sun Zi) was a Chinese mathematician and astronomer. He
investigated Diophantine equations. He authored “Sun Tzu’s Calculation Classic”, which contained,
among other things, the Chinese remainder theorem.
1.2 The Euclidean Algorithm 21
It clearly satisfies condition (1.15). If N does not satisfy 0 ≤ N < ab, we divide
N by ab with remainder. Let N = q · ab + N1 , where N1 is the remainder. Then
0 ≤ N1 < ab and N1 satisfies (1.15) since N1 has the same remainder as N on
division by a and also by b. The theorem is proved. �
Exercises
1. Use the Extended Euclidean Algorithm to find the greatest common divisor d of
3773 and 3596 and find any integers x and y such that d = 3773x + 3596y.
2. Using the Extended Euclidean Algorithm, find at least one pair of integers (x, y)
satisfying 1840x +1995y = 5, and at least three pairs of integers (z, w) satisfying
1840z + 1995w = −10.
3. Let a, b, c and d be non-negative integers with c > 1 and d > 1. Suppose that
there exists an integer N such that
Definition 1.3.1 Let n be a positive integer. The number of positive integers not
exceeding n and relatively prime to n is denoted by φ(n). This function is called
Euler’s φ-function or Euler’s totient function.
Let us denote by Zn the set {0, 1, 2, . . . , n−1} and by Z∗n the set of those positive
numbers from Zn that are relatively prime to n. Then φ(n) is the number of elements
of Z∗n , i.e., φ(n) = |Z∗n |.
Example 1.3.1 Let n = 20. Then Z∗20 = {1, 3, 7, 9, 11, 13, 17, 19} and φ(20) = 8.
k k k−1 k 1
Lemma 1.3.1 If n = p , where p is prime, then φ(n) = p − p = p 1− .
p
Proof It is easy to list all positive integers that are less than or equal to pk and
not relatively prime to p k . They are 1· p, 2· p, 3· p, . . . , ( p k−1 − 1)· p. They are all
multiples of p and we have exactly p k−1 − 1 of them. To obtain Z∗n we have to
remove from Zn all these p k−1 − 1 numbers and also 0. Therefore Z∗n will contain
p k − ( p k−1 − 1) − 1 = p k − p k−1 numbers. �
Theorem 1.3.1 Let m and n be any two relatively prime positive integers. Then
φ(mn) = φ(m)φ(n).
Proof Let Z∗m = {r1 , r2 , . . . , rφ(m) } and Z∗n = {s1 , s2 , . . . , sφ(n) }. Let us consider
an arbitrary pair (ri , s j ) of numbers, one from each of these sets. By the Chinese
Remainder Theorem there exists a unique positive integer Ni j such that 0 ≤ Ni j <
mn and
ri = Ni j mod m, s j = Ni j mod n,
Ni j = am + ri , Ni j = bn + s j . (1.17)
1.3 Fermat’s Little Theorem and Its Generalisations 23
r = N mod m, s = N mod n,
where either r does not belong to Z∗m or s does not belong to Z∗n . Assuming the
former, we get gcd(r, m) > 1. But then gcd(N , m) = gcd(m, r ) > 1, in which case
gcd(N , mn) > 1 too. Thus N does not belong to Z∗mn . This shows that the numbers
Ni j —and only these numbers—form Z∗mn . Therefore φ(mn) = φ(m)φ(n). �
Proof We use Lemma 1.3.1 and Theorem 1.3.1 to compute φ(n). Repeatedly apply-
ing Theorem 1.3.1 we get
φ(n) = φ p1α1 φ p2α2 . . . φ prαr .
as required. �
1 2 10
Example 1.3.2 φ(264) = φ(23 · 3 · 11) = 264 2 3 11 = 80. We also have
φ(269) = 268 as 269 is prime.
Corollary 1.3.1 If n = pq, where p and q are primes, then φ(n) = ( p−1)(q −1) =
pq − p − q + 1.
There are no known methods for computing φ(n) in situations where the prime
factorisation of n is not known. If n is so big that modern computers cannot factorise
it, you can publish n and keep φ(n) secret.
Exercises
1. Compute φ(125), φ(180) and φ(1001).
2. Factor n = 4386607, which is a product of two primes, given φ(n) = 4382136.
3. Find m = p 2 q 2 , given that p and q are primes and φ(m) = 11424.
2013
4. Find the remainder of 2(2 ) on division by 5.
5. Using Fermat’s Little Theorem find the remainder on dividing by 7 the number
333555 + 555333 .
Definition 1.3.2 Let a and b be integers and m be a positive integer. We say that
a is congruent to b modulo m and write a ≡ b mod m if a and b have the same
remainder on dividing by m, that is a mod m = b mod m.
For example, 41 ≡ 80 mod 13 since the numbers 41 and 80 both have remainder
2 when divided by 13. Also, 41 ≡ −37 mod 13. When a and b are not congruent
we write a ≡ b mod m. For example, 41 ≡ 7 mod 13 because 41 has remainder 2,
when divided by 13, and 7 has remainder 7.
Lemma 1.3.2 (Criterion) Let a and b be two integers and m be a positive integer.
Then a ≡ b mod m, if and only if a − b is divisible by m.
Lemma 1.3.3 Let a and b be two integers and m be a positive integer. Then
(a) if a ≡ b mod m and c ≡ d mod m, then a + c ≡ b + d mod m;
(b) if a ≡ b mod m and c ≡ d mod m, then ac ≡ bd mod m;
(c) if a ≡ b mod m and n is a positive integer, then a n ≡ bn mod m;
(d) if ac ≡ bc mod m and c is relatively prime to m, then a ≡ b mod m.
ac −bd = (ac −bc)+(bc −bd) = (a −b)c +b(c −d) = icm + jbm = (ic + jb)m,
whence ac ≡ bd mod m.
(c) Follows immediately from (b).
(d) Suppose that ac ≡ bc mod m and gcd(c, m) = 1. Then, by the criterion,
(a − b)c = ac − bc is a multiple of m. As gcd(c, m) = 1, by Lemma 1.2.1(c) a − b
is a multiple of m, and by the criterion a ≡ b mod m. �
which is
( p − 1)! · a p−1 ≡ ( p − 1)! mod p.
Fermat’s Little Theorem is a powerful (but not perfect) tool for checking primality.
Let
p := 20747222467734852078216952221076085874809964747211172927529925
89912196684750549658310084416732550077
gap> PowerMod(3,p-1,p);
1
gap> q:=pˆ2;;
gap> PowerMod(3,q-1,q)=1;
false
shows that 3 p−1 ≡ 1 mod p but for q = p 2 we have 3q−1 ≡ 1 mod q thus revealing
the compositeness of q. We will discuss thoroughly primality checking in Sect. 2.4.3.
Despite its usefulness, Fermat’s Little Theorem has limited applicability since the
modulus p must be a prime. The following theorem generalises it to an arbitrary
positive integer n. It will be very important in cryptographic applications.
a φ(n) ≡ 1 mod n
which is
Z · a φ(n) ≡ Z mod n,
Example 1.3.4 Using Euler’s Theorem compute the last decimal digit (units digit)
of the number 32007 .
Since the last decimal digit of 32007 is equal to 32007 mod 10, we have to calculate
this remainder. As gcd(3, 10) = 1 and φ(10) = 4 we have 34 ≡ 1 mod 10. As
3 = 2007 mod 4 we obtain
Exercises
1. Show that:
(a) Both sides of the congruence and its modulus can be simultaneously divided
by a common positive divisor.
(b) If a congruence holds modulo m, then it also holds modulo d, where d is an
arbitrary divisor of m.
(c) If a congruence holds for moduli m 1 and m 2 , then it also holds modulo
lcm(m 1 , m 2 ).
2. Without using mathematical induction show that 722n+2 − 472n + 282n−1 is
divisible by 25 for any n ≥ 1.
3. Find all positive integer solutions x, y to the equation φ(3x 5 y ) = 600, where φ
is the Euler totient function.
4. List all positive integers a such that 0 ≤ a ≤ 242 for which the congruence
x 162 ≡ a mod 243 has a solution.
5. Without resorting to FactorsInt command, factorise n if it is known that it is
a product of two primes and that φ(n) = 3308580.
Proof Only the second property is not completely obvious. We prove it by noting
that a ⊕ b ≡ a + b mod n. Then by Lemma 1.3.3(a)
(a ⊕ b) ⊕ c ≡ (a ⊕ b) + c ≡ (a + b) + c mod n
and
a ⊕ (b ⊕ c) ≡ a ⊕ (b + c) ≡ a + (b + c) mod n,
Definition 1.4.1 An algebraic system < G, + > which consists of a set G together
with an algebraic operation + defined on it is said to be a commutative group if the
following axioms are satisfied:
CG1 The operation is commutative, a + b = b + a, for all a, b ∈ G.
CG2 The operation is associative, a + (b + c) = (a + b) + c, for all a, b, c ∈ G.
CG3 There exists a unique element 0 such that a + 0 = 0 + a = a, for all a ∈ G.
CG4 For every element a ∈ G there exists a unique element −a such that a +
(−a) = (−a) + a = 0, for all a ∈ G.
Thus we can reformulate Theorem 1.4.1 by saying that < Zn , ⊕ > is a commu-
tative group.
Proof Suppose that a ⊕ x = b, where x is a solution. Add (−a) to both sides of the
equation. We get
(−a) ⊕ (a ⊕ x) = (−a) ⊕ b,
from where, by using properties 1–4, we can find that (−a)⊕(a ⊕ x) = ((−a)⊕a)⊕
x = 0 ⊕ x = x, hence x = (−a) ⊕ b. Similar computations show that x = (−a) ⊕ b
is indeed a solution. �
1.4 The Ring of Integers Modulo n. The Field Z p 29
df
a b = ab mod n. (1.19)
b (a c) = b 1 = b,
and
(b a) c = 1 c = c,
26 1 0
11 0 1 2
4 1 −2 2
3 −2 5 1
1 3 −7 3
Hence, depending on n, the following property may or may not be true for Zn :
9. For every nonzero a ∈ Zn there is a unique element a −1 ∈ Zn such that aa −1 =
a −1 a = 1.
Definition 1.4.5 A commutative ring < R, +, · > is called a field if the following
axiom is satisfied
F1 For every nonzero a ∈ R there is a unique element a −1 ∈ R such that a · a −1 =
a −1 · a = 1.
Exercises
1. Prove that in any commutative ring R a divisor of zero is not invertible. (Hint:
prove first that for any a ∈ R we have a · 0 = 0. Then follow the proof of
Lemma 1.4.2.)
2. (a) List all invertible elements of Z16 and for each invertible element a give its
inverse a −1 .
(b) List all zero divisors of Z15 and for each zero divisor a give all non-zero
elements b such that a b = 0.
3. (a) Which one of the two elements 74 and 77 is invertible in Z111 and which one
is a zero divisor? For the invertible element a, give the inverse a −1 and for
the zero divisor b give the element c ∈ Z111 such that b c = c b = 0.
(b) Solve the equations 77 x ⊕ 21 = 10 and 74 x ⊕ 11 = 0 in Z111 .
4. Let a and b be two elements of the ring Z21 and let f : Z21 → Z21 be a linear
function defined by f (x) = a x ⊕ b (where the operations are computed in
Z21 ).
32 1 Integers
(a) Describe the set of all pairs (a, b) for which the function f is one-to-one.
(b) Find the range of the function f for the case a = 7, b = 3.
(c) Suppose a = 4 and b = 15. Find the inverse function f −1 (x) = c x ⊕ d
which satisfies f −1 ( f (x)) = x for each x ∈ Z21 .
5. How many solutions in Z11 does the equation x 102 = 4 have? List them all.
6. Given an odd number m > 1, find the remainder when 2φ(m)−1 is divided by m.
This remainder should be expressed in terms of m.
7. (Wilson’s Theorem) Let p be an integer greater than one. Prove that p is prime if
and only if ( p −1)! = −1 in Z p . (Hint: 1 and −1 = p −1 are the only self-inverse
elements of Z∗p .)
8. Prove that any commutative finite ring R (unity is not assumed) without zero
divisors is a field.
In this notation the meaning of a digit depends on its position. Thus two digit symbols
“9” are situated in the tens and the hundreds places and their meaning is different.
In general, for the number N given by (1.20) we write
to emphasise the exceptional role of 10. This notation is called positional, and its
invention has been attributed to the Sumerians or the Babylonians. It was further
developed by Hindus, and proved to be of enormous significance to civilisation. In
Roman symbolism, for example, one wrote
It is clear that more and more new symbols such as I, V, X, C, M are needed as the
numbers get larger while with the Hindu positional system, now in use, we need
only ten “Arabic numerals” 0, 1, 2, . . . , 9, no matter how large the number is. The
positional system was introduced into medieval Europe by merchants, who learned
it from the Arabs. It is exactly this system which is to blame for the fact that the
ancient art of computation, once confined to a few adepts, has become a routine
algorithmic skill that can be done automatically by a machine, and is now taught in
primary school.
Mathematically, there is nothing special about the decimal system. The use of ten
as the base goes back to the dawn of civilisation, and is attributed to the fact that
we have ten fingers on which to count. Other numbers could be used as the base,
and undoubtedly some of them were used. The number words in many languages
show remnants of other bases, mainly twelve, fifteen and twenty. For example, in
English the words for 11 and 12 and in Spanish the words for 11, 12, 13, 14 and 15
are not constructed on the decimal principle. In French the word for 20—vingt—
suggests that that number had a special role at some time in the past. The Babylonian
astronomers had a system of notation with base 60. This is believed to be the reason
for the customary division of the hour and the angular degree into 60 minutes. In the
theorem that follows we show that an arbitrary positive integer b > 1 can be used as
a base.
Theorem 1.5.1 Let b > 1 be a positive integer. Then every positive integer N can
be uniquely represented in the form
N = d0 + d1 b + d2 b2 + · · · + dn bn , (1.21)
N − d0
N1 = = d1 + d2 b + d3 b2 + · · · + dn bn−1 .
b
Then clearly
N = d0 + N1 b = d0 + d1 b + d2 b2 + · · · + dn bn
N = d0 + d1 b + d2 b2 + · · · + dn bn = e0 + e1 b + e2 b2 + · · · + en bn .
34 1 Integers
to express (1.21). The digits di can be found by the repeated application of the division
algorithm as follows:
N = q1 b + d0 , (0 ≤ d0 < b)
q1 = q2 b + d1 , (0 ≤ d1 < b)
..
.
qn = 0 · b + dn (0 ≤ dn < b)
For example, the positional system with base 5 employs the digits 0, 1, 2, 3, 4 and
we can write
1998(10) = 3 · 54 + 0 · 53 + 4 · 52 + 4 · 5 + 3 = 30443(5) .
But in the era of computers it is the binary (or dyadic) system (base 2) that has
emerged as the most important. This system has only two digits, 0 and 1, and a very
simple multiplication table for them. But under the binary system, representations
of numbers get longer quickly. For example,
150(10) = 1 · 27 + 0 · 26 + 0 · 25 + 1 · 24 + 0 · 23 + 1 · 22 + 1 · 2 + 0.
= 10010110(2) (1.23)
Leibniz9 was one of the ardent proponents of the binary system. According to
Laplace: “Leibniz saw in his binary arithmetic the image of creation. He imag-
ined that Unity represented God, and zero the void; that the Supreme Being drew
all beings from the void, just as unity and zero express all numbers in his system of
numeration.”
9 Gottfried Wilhelm von Leibniz (1646–1716) was a German mathematician and philosopher who
developed infinitesimal calculus independently of Isaac Newton, and Leibniz’s mathematical nota-
tion has been widely used ever since it was published. He invented an early mechanical calculating
machine.
1.5 Representation of Numbers 35
Let us look at the binary representation of a number from the information point
of view. Information is measured in bits. One bit is a unit of information expressed
as a choice between two possibilities 0 and 1. The number of binary digits in the
binary representation of a number N is therefore the number of bits we need to
transmit N through an information channel (or input into a computer). For example,
the Eq. (1.23) shows that we need 8 bits to transmit or convey the number 150.
Proof Suppose that N has n binary digits in its binary representation. That is
Example 1.5.2 The input is the number 15011. Convert it to binary. What is the
length of this input?
Solution. Let 15011 = (an an−1 . . . a1 a0 )(2) be the binary representation of 15111.
We can find the binary digits of 15011 recursively by a series of divisions with
remainder:
15011 = 2 · 7505 + 1 −→ a0 = 1,
7505 = 2 · 3752 + 1 −→ a1 = 1,
3752 = 2 · 1876 + 0 −→ a2 = 0,
1876 = 2 · 938 + 0 −→ a3 = 0,
938 = 2 · 469 + 0 −→ a4 = 0,
469 = 2 · 234 + 1 −→ a5 = 1,
234 = 2 · 117 + 0 −→ a6 = 0,
117 = 2 · 58 + 1 −→ a7 = 1,
58 = 2 · 29 + 0 −→ a8 = 0,
29 = 2 · 14 + 1 −→ a9 = 1,
14 = 2 · 7 + 0 −→ a10 = 0,
7 = 2·3+1 −→ a11 = 1,
3 = 2·1+1 −→ a12 = 1,
1 = 2·0+1 −→ a13 = 1,
we see that 15011 = 11101010100011(2) , reading the binary digits from the column
of remainders from bottom to top. Hence the length of the input is 14 bits. �
Example 1.5.3 To estimate from above and from below the number of bits required
to input an integer N which has 100-digits in its decimal representation we may use
the GAP command LogInt(N,2) to calculate log2 N . A 100-digit integer is
between 1099 and 10100 , so we have
36 1 Integers
gap> LogInt(10ˆ100,2)+1;
333
gap> LogInt(10ˆ99,2)+1;
329
So the number in this range will need between 329 and 333 bits.
The negative powers of 10 are used to express those real numbers which are not
integers. This also works in other bases. For example,
1 1 2 5 0 0 1
= 0.125(10) = + + 3 = + 2 + 3 = 0.001(2)
8 10 102 10 2 2 2
1
= 0.142857142857 . . .(10) = 0.(142857)(10) = 0.001001 . . .(2) = 0.(001)(2)
7
The binary expansions of irrational numbers, such as
√
5 = 10.001111000110111 . . .(2) ,
Exercises
1. Find the binary representation of the number 2002(10) and the decimal represen-
tation of the number 1100101(2) .
2. (a) Find the binary representation of the number whose decimal representation
is 2011.
(b) Find the decimal representation of the number whose binary representation
is 101001000.
3. Use Euler’s Theorem to find the last three digits in the binary representation of
751015 .
4. How many non-zero digits are there in the binary representation of the integer
1 Chapter 13. Handbook of Theoretical Computer Science. J. Van Leeuwen (ed.) (Elsevier, 1990)
pp. 717–755.
© Springer International Publishing Switzerland 2015 37
A. Slinko, Algebra for Applications, Springer Undergraduate Mathematics Series,
DOI 10.1007/978-3-319-21951-6_2
38 2 Cryptology
over great distance. The course of World War II was significantly affected by use,
misuse, and breaking of cryptographic systems used for radio traffic. It is intriguing
the computational engines designed and built by the British to crack the German
Enigma cipher are deemed by some to be the first real “computers”; one could argue
that cryptography is the mother (or at least the midwife) of computer science.” (This
chapter can be downloaded from Ron Rivest’s web page.)
Here, Rivest mentions the famous “Colossus” computers. Until recently all infor-
mation about them was classified. The Colossus computers were built by a dedicated
team of British mathematicians and engineers led by Alan Turing and Tommy Flow-
ers. It was extensively used in the cryptanalysis of high-level German communica-
tions. It is believed that this heroic effort shortened the Second World War by many
months. Recently Colossus was recreated and outperformed a modern computer (in
deciphering messages which had been encrypted using the Lorenz SZ 40/42 cipher
machine).2 Due to the secrecy that surrounded everything related to Colossus, there
arose a myth that the ENIAC was the first large-scale electronic digital calculator in
the world. It was not.
One of the oldest ciphers known is Atbash. It even appears in the Hebrew Scriptures
of the Bible. Any occurrence of the first letter of the alphabet is replaced by the last
letter, occurrences of the second letter are replaced by the second to last etc. Atbash
is a specific example of a general technique called inversion.
Caesar is also a very old cipher used by Gaius Julius Caesar (100 BC–44 BC).
Letters are simply replaced by letters three steps further down the alphabet. This way
‘a’ becomes ‘d’, ‘b’ becomes ‘e’ etc. In fact, any cipher using a displacement of any
size is now known as a Caesar. Caesar is a specific example of a general technique
called displacement.
These two ciphers are examples of the so-called substitution methods which use
a mapping of an alphabet onto itself that replace a character with the one it maps
onto. If the mapping does not change within the message, the scheme is known as a
mono-alphabet scheme. Such cryptosystems were not very secure but were sufficient
enough when literacy was not widespread.
For both of these cryptosystems it is essential to keep the method of encryption
secret, because even publicising the idea on which it is based might give away an
essential part of the security of the system, especially if the adversary managed to
intercept sufficiently many encrypted messages.
2 For more about this exciting project, and for further historical information about Colossus, see
http://www.codesandcyphers.org.uk/lorenz/rebuild.htm.
2.1 Classical Secret-Key Cryptology 39
By the end of the 19th century it became clear that security must be introduced
differently. In 1883 Auguste Kerckhoffs [9]3 wrote two journal articles titled La Cryp-
tographie Militaire, in which he stated six design principles for military ciphers. His
main idea—which is called now Kerckhoffs’ Principle—was that the security must
be a result of not keeping the encryption mechanism secret but as a result of keep-
ing a changeable part of the encryption mechanism—called the secret key—secret.
Depending on the secret key the encryption mechanism should encrypt messages dif-
ferently. So, even if the adversary knows the encryption method but does not know
the key, they will not know how to decrypt messages.
Thus, until recently, a standard cryptographic solution to the privacy problem was
a secret-key cryptosystem, which consisted of the following:
• A message space M: a set of strings (plaintext messages) over some alphabet (e.g.,
binary alphabet, English, Cyrillic or Arabic alphabets);
• A ciphertext space C: a set of strings (ciphertext messages) over some alphabet
(e.g., the alphabet of the dancing men in one of the Arthur Conan Doyle’s stories
of Sherlock Holmes);
• A key space K: a set of strings (keys) over some alphabet;
• An encryption algorithm E : M × K → C, which to every pair m ∈ M and k ∈ K
puts in correspondence a ciphertext E(m, k);
• A decryption algorithm D : C ×K → M with the property that D(E(m, k), k) = m
for all m ∈ M and k ∈ K.
The meaning of the last condition is that if a message is encrypted with a key k,
then the same key, when used in the decryption algorithm, will decrypt this message
from the ciphertext.
To use a secret-key cryptosystem the parties wishing to communicate privately
agree on a key k ∈ K, which they must keep secret. They communicate a message
m ∈ M by sending the ciphertext c = E(m, k). The recipient can decrypt the
ciphertext to obtain the message m by means of the key k and the decryption algorithm
D since m = D(c, k). The cryptosystem is considered to be secure if it is infeasible
in practice for an eavesdropper, who has discovered E(m, k) but does not know k, to
deduce m.
Below we present three examples.
The one-time pad is a nearly perfect solution to the privacy problem. It was invented
in 1917 by Gilbert Vernam (D. Kahn, The Codebreakers, Macmillan, New York,
1967) for use in telegraphy. In this secret-key cryptosystem the key is as long as the
message being encrypted. The key, once used, is discarded and never reused.
3 Auguste Kerckhoffs (1983–1903) was a Dutch linguist and cryptographer who was professor of
languages at the Ecole des Hautes Etudes Commerciales in Paris.
40 2 Cryptology
Suppose that parties managed to generate a very long string k of randomly chosen
0’s and 1’s. Suppose that they also managed to secretly deliver k to all parties involved
with the intention to use it as a key. If a party A wishes to send a telegraphic message
m to other parties, then it writes the message as a string of zeros and ones m =
m1 m2 . . . mn , takes the first n numbers from k, that is k = k1 k2 . . . kn and adds these
two strings component-wise mod 2 to get the encrypted message
c = m ⊕ k = c1 c2 . . . cn , where ci = mi ⊕ ki .
Then A destroys the first n numbers of the key. On the receiving end all other parties
decrypt the message c by computing m = c ⊕ k and also destroy the first n numbers
of the key. When another message is to be sent, another part of the key will be
used—hence the name “one-time pad.” This system is unconditionally secure in
the following sense. If c = c1 c2 . . . cn is the ciphertext, then an arbitrary message
m = m1 m2 . . . mn could be sent. Indeed, if the key were m ⊕ c, then m ⊕ (m ⊕ c) = c
and the ciphertext is c.
For written communication this system can be modified as follows. Each letter of
the alphabet is given a number in Z26 :
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
You then agree to use a book, little-known to the general public (considered as a
very long string of letters), as the secret key. For example, “The Complete Poems of
Emily Dickinson” would be a good choice.4 Then you do the same as we did with
telegraphic messages except that we add messages mod 26. Suppose we need to send
a message
BUY TELECOM SHARES
B U Y T E L EC O M S HA R E S
1 20 24 19 4 11 4 2 14 12 18 7 0 17 4 18
BE S T W I T CHC R AF T I S
1 4 18 19 22 8 19 2 7 2 17 0 5 19 8 18
2 24 16 12 0 19 23 4 21 14 9 7 5 10 12 10
C Y Q M A T X E V O JHF K M K
CYQMATXEVOJHFKMK.
This version of the one-time pad is much less secure as it is vulnerable to frequency
analysis.
Exercises
1. Use Khlebnikov’s poem
Today I will go once again
Into life, into haggling, into the flea market,
And lead the army of my songs
To duel against the market tide.5
This is a substitution cipher which is also based on modular arithmetic. The key to
this cryptosystem is a pair k = (a, b) of numbers a ∈ Z∗26 , b ∈ Z26 . Under this
5 Velemir Khlebnikov (1885–1922) was one of the key poets in the Russian Futurist movement but
his work and influence stretch far beyond it. He was educated as a mathematician and his poetry is
very abstract and mathematical. He experimented with the Russian language, drawing deeply upon
its roots.
42 2 Cryptology
system a number in Z26 is assigned to every letter of the alphabet as in the previous
section. Each letter is encoded into the corresponding number x it is assigned to and
then into the letter to which the number a x ⊕ b is assigned. For instance, if a = 3
and b = 5, then the letter “H” will have a numerical encoding “7”. Then 37⊕5 = 0
is computed, and we note that “0” is the numerical encoding for “A”, which shows
that “H” is encrypted into “A”. Using the key k = (3, 5), the message
The requirement that a ∈ Z∗26 , i.e., gcd(a, 26) = 1 is needed to ensure that the
encryption function is one-to-one. Indeed, this is equivalent to having the function
E(x) = a x ⊕ b
Since the key is very short, this system is not secure: one can simply use all keys one
by one and see which key gives a meaningful result. However it can be meaningfully
used in combination with other cryptosystems. For example, if we use this encryption
first and then use a one-time pad (or the other way around), the frequency analysis
will be very much hampered.
Exercises
Find the original plaintext. The following estimates of the relative frequencies of
the 26 letters in English texts may be of some help. You are also encouraged to
use any computer assistance you need.
where x1 , x2 are the numerical codes for P1 , P2 and y1 , y2 are the numerical codes
for C1 , C2 . The invertibility of K is needed for the unambiguous recovery of x1 , x2
from y1 , y2 .
44 2 Cryptology
and suppose the plaintext message is HELP. Then this plaintext is represented by
two pairs
H L 7 11
HELP → , → , .
E P 4 15
Then we compute
33 7 7 33 11 0
= , =
25 4 8 25 15 19
Then we compute
15 17 7 7 15 17 0 11
= , =
20 9 8 4 20 9 19 15
2.1 Classical Secret-Key Cryptology 45
is the inverse. �
46 2 Cryptology
1. (a) Which one of the two matrices, considered as matrices over Z26 ,
1 12 16
,
12 1 6 1
is invertible and which is not? Find the inverse for the invertible matrix.
(b) Let M be the invertible matrix found in part (a). Use it as a key in Hill’s
cryptosystem to encrypt YEAR and to decrypt ROLK.
2. In Hill’s cryptosystem with the key
11 12
K=
12 11
find all pairs of letters XY which do not change after being encoded twice, i.e.,
if we encode XY we get a pair ZT which is being encoded as XY.
3. You have captured the ciphertext
NWOLBOTEPEHKICNSHR.
You know it has been encrypted using the Hill cipher with a 2 × 2 matrix and you
know the first 4 letters of the message are the word “DEAR”. Find the secret key
and decrypt the message.
4. The key for Hill’s cryptosystem is the following matrix over Z26
⎡ ⎤
1 2 3 4 5
⎢9 11 18 12 4⎥
⎢ ⎥
K =⎢
⎢1 2 8 23 3⎥⎥.
⎣7 14 21 5 1⎦
5 20 6 5 0
2.1 Classical Secret-Key Cryptology 47
WGVUUTGEPVRIMFTXMXMHCYTNGYMJJE
EZKEWHLQQISDJYJCTYEUBYKFBWPBBE
5. (advanced linear algebra required) Prove that a square n × n matrix A over Z26 is
invertible if and only if its determinant det(A) is an invertible element of Z26 .
Traditional secret-key cryptology assumes that both the sender and the receiver must
be in possession of the same secret key which they use both for encryption and
decryption. This secret key must be delivered all around the world, to all the corre-
spondents. This is a major weakness of this system.
Modern public-key cryptology breaks the symmetry between the sender and the
receiver. It requires two separate keys for each user, one of which is secret (or private)
and one of which is public. The public key is used to encrypt plaintext, whereas the
private key is used to decrypt ciphertext. Since the public key is no longer secret it
can be widely distributed without compromising security. The term “asymmetric”
stems from the use of different keys to perform the encryption and the decryption,
each operation being the inverse of the other—while the conventional (“symmetric”)
cryptography uses the same key to perform both.
The computational complexity is the main reason why the system works. The
adversary will know how to decrypt messages but will still be unable to do it due to
the extremely high complexity of the task.
Example 2.2.1 Given the availability of ordinary telephone books the function
can be easily performed in seconds as it is easy to find the name in the book since
they are listed in the alphabetical order but the function
48 2 Cryptology
can hardly be performed at all, since in the worst case you need to read the whole
book in order to find the name corresponding to a given number. You might need a
month to do that.
Example 2.2.2 Imagine that you have taken the time to enter the telephone directory
into your computer, sorted all phone numbers in increasing order, and printed them.
Suppose that it took one month of your time. Then you possess a trapdoor to the one-
way function f described in Example 2.2.1. For you it is equally easy to compute f or
f −1 and you are the only person (at least for the next month) who can compute f −1 .
f (TEXT) = CIPHERTEXT
with a secret trapdoor t. Then she puts this function f in the public domain, where it
is accessible to everyone, and asks everybody to send her f (TEXT) each time when
the necessity arises to send a message TEXT confidentially. Knowing the trapdoor t,
it is an easy job for her to compute the TEXT from f (TEXT) while it is infeasible to
compute it for anybody else. The function f (or a certain parameter which determines
f uniquely) is called Alice’s public key and the trapdoor t is called her private key.
Example 2.2.3 Let us see how we can use the trapdoor function of Example 2.2.1
to construct a public-key cryptosystem. Take the University telephone directory and
announce the method of encryption as follows. Your correspondent must take a letter
of your message, find a name in the directory starting with this letter, and assign
to this letter the phone number of the person with the chosen name. She must do
it with all letters of your message. Then all these phone numbers combined will
form a ciphertext. For example, the message SELL BRIERLY, sent to you, will be
encrypted as follows:
2.2 Modern Public-Key Cryptology 49
S SCOTT 8751
E EVANS 8057
L LEE 8749
L LEE 5999
B BANDYOPADHYAY 7439
R ROSENBERG 5114
I ITO 7518
E ESCOBAR 6121
R RAWIRI 7938
L LEE 6346
Y YU 5125
87518057874959997439511475186121793863465125
For decryption you must use your private key, which is the inverse telephone directory.
In this section we will develop several rigorous concepts necessary for implementing
the idea of the previous section. To measure the running time of an algorithm we need
first to choose a unit of work, say one multiplication, or one division with remainder,
etc.; we will often call the chosen units of work as steps.
It is often the case that not all instances of a problem under consideration are
equally hard even if the two inputs are of the same length. For example, if we feed
an algorithm two different—but equally long—inputs (and we feed them in one at
a time, not both at once) then the algorithm might require an astronomical number
of operations to deal with the first input, but only a handful of operations to deal
with the second input. The (worst case) time complexity of an algorithm is a function
that for each length of the input shows the maximal number of units of work that
may be required. We say that an algorithm is of time complexity f (n) if for all n and
for all inputs of n bits, the execution of the algorithm requires at most f (n) steps.
The worst-case complexity takes into consideration only the hardest instances of the
problem. It is relevant when people are pessimistic, and think that it is very likely
that a really hard instance of the problem will crop up.
Average-case complexity, on the other hand, estimates how difficult the relevant
problem is ‘on average’. An optimist, thinking that hard instances of the problem
are rare, will be more interested in the average-case than the worst-case complexity.
At present, much less is known about the average-case complexity than about the
worst-case one, so we concentrate on the former.
We need a language to compare the time complexity functions of different
algorithms.
50 2 Cryptology
f (n)
lim = 1.
n→∞ g(n)
f (n) a0 nd + a1 nd−1 + · · · + ad a1 1 ad 1
= =1+ · + ··· + · → 1.
a0 nd a0 nd a0 n a0 nd
For comparing the growth of functions we use the “little-oh,” “big-Oh” and “big-
Theta” notation.
f (n)
lim = 0.
n→∞ g(n)
Informally, this means that f grows more slowly than g when n gets large.
1000n2.9 1000
3
= 0.1 → 0.
n n
However not all comparisons can be done so easily. To compare the rate of growth
of two functions one often needs L’Hospital’s rule. We formulate it in the form that
suits our applications.
Theorem 2.3.1 (L’Hospital’s rule.) Let f (x) and g(x) be two differentiable functions
such that limx→∞ f (x) = ∞, and limx→∞ g(x) = ∞. Suppose that
2.3 Computational Complexity 51
f (x)
lim
x→∞ g (x)
exists. Then
f (x) f (x)
lim = lim .
x→∞ g(x) x→∞ g (x)
√
Example 2.3.4 ln n = o( n).
Let us justify this using L’Hospital’s rule. Indeed,
cn cn 1 (ec)n 1 ec n
lim = lim √ = lim √ · n = lim √ · = 0.
n→∞ n! n→∞ 2πn · nn e−n n→∞ 2πn n n→∞ 2πn n
Definition 2.3.3 We say that f (n) = O(g(n)) (read “f is big-Oh of g”) if there exists
a number C > 0 and an integer n0 such that for n > n0
Informally, this means that f doesn’t grow at a faster rate than g when n gets large.
√
Example 2.3.6 (a) sin n = O(1), (b) 1000n3 + n = O(n3 ).
√ In the3 first case |sin n| ≤ 1 · 1 so we can take C = 1. In the second, we note that
n ≤ n , hence
√
1000n3 + n ≤ 1001n3
Proof Let C = |a0 | + |a1 | + · · · + |ad |. Then x i < x d for sufficiently large x, and
Definition 2.3.4 We say that f (n) = (g(n)) (read “f is big-Theta of g”) if there
exist two numbers c, C > 0 and an integer n0 such that for n > n0
Informally, this means that f grows as fast as g does when n gets large.
Example 2.3.7 πn+sin(n) = (n) since 2n < |πn+sin(n)| < 5n so we can choose
c = 2 and C = 5.
These functions are listed in increasing order of the rapidity of growth. Of course
there are some intermediate cases like O(log log n) and O(n log n). The table below
provides estimates of the running times of algorithms for certain orders of complexity.
Here we have problems with input strings of 2, 16 and 64 bits.
If we assume that one operation (unit of labour) requires 1 µs (= 10−6 s), then it
is worth noting that a problem with exponential complexity will require on input of
64 bits:
Problems which can only be solved by algorithms whose time complexity is expo-
nential quickly become intractable when the size of the input grows. That is why
mathematicians and computer scientists consider polynomial growth as the upper
2.3 Computational Complexity 53
In a number theoretic algorithm the input is often a number (or several numbers).
So what is the length of the input in bits if it is an integer N? In other words, we are
asking how many zeros and ones one needs to express N. This question was solved
in Sect. 1.5, where we learned how to represent numbers in binary. By Theorem 1.5.2
to express N in binary we need n = log2 N + 1 bits of information. For most
calculations it would be sufficient to use the following approximations: N ≈ 2n and
n ≈ log2 N.
Now we will consider two algorithms for calculating cN mod m, where c and m
are fixed numbers. Here N is the input and cN mod m is an output. The running
time of the algorithm will be measured by the number of modular multiplications
required. In ordinary arithmetic this measure might not be satisfactory since the
numbers grow in size and some multiplications are much more labour intensive than
the others. However, in modular arithmetic all numbers are of approximately equal
size and our assumption is realistic.
Algorithm 1 is given by the formula cN = (. . . (((c · c) · c) · c) . . .) · c. That is we
calculate powers of c recursively by setting c1 = c and ci+1 = ci · c. To calculate
cN by this method we require N − 1 multiplications. Hence the complexity function
f (n) for this algorithm is f (n) = N − 1 ≈ 2n − 1, where n = log2 N + 1 is the
length of the input. Since 21 2n < f (n) < 2n we have f (n) = (2n ). This algorithm
has exponential complexity.
We have been too straightforward in calculating cN mod m and the result was
appalling. We can be much more clever and do much better.
Algorithm 2 (Square and Multiply): Let us represent N in binary
So n − 1 ≤ f (n) ≤ 2n − 1. This means that f (n) = (n) and the algorithm has
linear complexity. We have now proven the following theorem.
Theorem 2.3.2 Let c and m be positive integers. Then for every positive integer N we
can calculate cN mod m using at most 2 log N multiplications modulo m. Algorithm
2 (Square and Multiply) has linear complexity.
Example 2.3.8 How many multiplications are needed to calculate c29 using Algo-
rithms 1 and 2?
The binary representation for 29 is as follows:
29 = 16 + 8 + 4 + 1 = 11101(2) .
we get r < a/2. Indeed, if q ≥ 2, then r < b < a/q ≤ a/2, and when q = 1, then
b > a/2, hence r = a − b < a/2.
Let us perform the Euclidean algorithm on a and b
a = q1 b + r1 , 0 < r1 < b,
b = q2 r1 + r2 , 0 < r2 < r1 ,
r1 = q3 r2 + r3 , 0 < r 3 < r2 ,
..
.
rs−2 = qs rs−1 + rs , 0 < rs < rs−1 ,
rs−1 = qs+1 rs .
56 2 Cryptology
Then rs = gcd(a, b). Due to the observation at the beginning of the proof we can
conclude that
r3 < r1 /2 < a/4, r5 < r3 /2 < a/8,
a b
and by induction r2k+1 < and r2k < k . Suppose the algorithm stops at step
2k+1 2
s, i.e., after calculating that rs = 1. Then if s = 2k + 1, we have 2k+1 < a and
k < log2 a, whence s = 2k + 1 < 2 log2 a + 1. Hence s ≤ 2 log2 a = 2 log2 N. If
s = 2k, then 2k < b, whence k < log2 b ≤ log2 N, and s = 2k < 2 log2 N.
If a is smaller than b then we will need an additional step, and the number of steps
will be no greater than 2 log2 N + 1. �
Now we can draw conclusions about the time complexity of the Euclidean algo-
rithm. For one unit of work we will adopt the execution of a single a mod b operation,
that is division of a by b with remainder.
Proof The upper bound in Theorem 2.3.3 can be interpreted as follows. The number
log2 N, where N = max(a, b), is almost exactly the number of bits, say k, in the
binary representation of N. So the length of the input, n, (numbers a and b) is at least
k and at most 2k while the number of units of work is at most 2k. So for the time
complexity function f (n) we have f (n) ≤ 2n. Thus f (n) = O(n). �
In Sect. 1.1.3 we saw that the Trial Division algorithm for factoring an integer n
(which, we recall,√ could involve performing as many divisions as there are primes
between 2 and n), was computationally difficult. Now we can state this precisely.
It has exponential time complexity!
Theorem 2.3.4 (A worst-case time complexity for factoring) The Trial Division
algorithm for factoring integers has exponential complexity.
Proof Let the unit of work be one division. Let us assume that we have an infinite
memory and that all primes are stored there: p1 , p2 , . . . , pm , . . .. Given a positive
√
integer N we have to try to divide it by all primes which do not exceed M = N.
According to the Prime Number Theorem there are approximately
√
M N
≈2
ln M ln N
such primes. This means
√ that in the worst-case scenario we have to try all of them
and thus perform 2 N/ ln N divisions. Since N ≈ 2n , where n is the number of
input bits, the worst-case complexity function takes the form
2 √ n 2 1 √ n
f (n) ≈ 2 ≈ · · 2 .
n ln 2 ln 2 n
2.3 Computational Complexity 57
√
Let 2 = αβ, where α > 1 and β > 1. Then
1 √ n αn
· 2 = · βn > βn.
n n
In the case of calculating Nth powers we know one efficient and one inefficient
algorithm. For factoring integers we know only one and it is inefficient. All attempts
of researchers in number theory and computer science to come up with a more effi-
cient algorithm have resulted in only very modest improvements. Several algorithms
are known that are subexponential with the time complexity function, for example,
1/3 2/3
f (n) = ecn (ln n) (see [1]). This growth is still very fast. At the moment of writing
it is not feasible to factor a 200 digit integer unless it has many small divisors.
Exercises
1. (a) Estimate the number of bits required to input an integer N which has 100
digits in its decimal representation.
(b) Represent n = 1234567 in binary and decide how many multiplications
mod m the Square and Multiply algorithm would require to calculate
cn mod m.
2. The Bubble Sort Algorithm takes a finite list of numbers and arranges them in
the increasing order. Given a list of numbers, it compares each item in the list
with the item next to it, and swaps them if the former is larger than the latter. The
algorithm repeats this process until it makes a pass all the way through the list
without swapping any items (in other words, all items are in the correct order).
This causes larger values to “bubble” to the end of the list while smaller values
“sink” towards the beginning of the list.
Assume that one needs 100 bits to input any number on the list (so the length of
the input is 100n). Take one swap as one unit of work. Determine the worst case
complexity of the Bubble Sort Algorithm. Use the appropriate notation (big-oh,
little oh, etc.) to express the character of the growth.
3. The input of the following algorithm is a positive integer N. The algorithm tries to
divide N by the first (log2 N)3 primes and, if one of them divides N, it declares N
composite. If none of those primes divide N, the algorithm declares N interesting.
What is the worst-case complexity of this algorithm?
4. Let (fn ) be the sequence of Fibonacci numbers given by f0 = f1 = 1 and fn+2 =
fn+1 + fn .
(a) Prove that
fn < 2fn−1 and fn+5 > 10fn .
(b) Using part (a), prove Lamé’s theorem that the number of divisions with
remainder required by the Euclidean algorithm for finding gcd(a, b) is at
most five times the number of decimal digits in the smaller of a or b.
58 2 Cryptology
Alice wishes to receive confidential messages from her correspondents. For this
purpose she may use the public-key RSA cryptosystem, named after Rivest, Shamir
and Adelman [2], who invented it in 1977. It is widely used now. It is based on the
fact that the mapping
f : x → x e mod n
for a specially selected very large number n and exponent e is a one-way function.
be used for decryption). For example, when Bob wishes to send a private message
to Alice, he obtains Alice’s public key (n, e) from the public domain and uses it as
follows:
• turns the message text into a nonnegative integer m < n (or several of them if
breaking the text into blocks of smaller size is necessary);
• computes c = me mod n;
• sends the ciphertext c to Alice.
Alice then recovers the plaintext m using her private key d (which is the trapdoor
for f ) by calculating
m = cd mod n.
This may seem to be a miracle at this stage but it can (and, below, will) be explained.
This system can work only because of the clever choice of the primes p and q.
Indeed, p and q should be chosen so that their product n = pq is infeasible to factorise.
This secures that p and q are known only to Alice, while at the same time n and her
public exponent e are known to everybody. This implies that Alice’s private exponent
d is also known only to her. Indeed, to calculate d from publicly known parameters,
one needs to calculate φ(n) first. But the only known method of calculating φ(n)
requires calculation of the prime factorisation of n. Since it is infeasible, we can
publish n but keep φ(n), and hence d, secret.
Example 2.4.1 This is of course a very small example (too small for practical pur-
poses), just to illustrate the algorithms involved. Suppose Alice’s arrangements were
as follows:
1. p = 101, q = 113;
2. n = pq = 11413, φ = (p − 1)(q − 1) = 11200;
3. e = 4203 (picked at random from the interval (1, φ), making sure that
gcd(e, φ) = 1);
4. d = 3267 (the inverse of e in Zφ );
5. the public key is therefore (11413, 4203), the private key is 3267.
If Bob wants to send the message “Hello Alice” he transforms it into a number as
described. The message is then represented by the integer
0805121215270112090305.
This is too large (≥11413), so we break the message text into chunks of 2 letters
at a time.
If Bob wants to receive an encrypted answer from Alice he has to set up a similar
scheme. In practice people do not set up cryptosystems individually but use a trusted
provider of such services. Such a company would create a public domain and place
there all public keys attributed to participating individuals. Such a company creates
an infrastructure that makes encrypted communication possible. The infrastructure
that is needed for such cryptosystem to work is called a public-key infrastructure
(PKI) and the company that certifies that a particular public key belongs to a certain
person or organisation is called a certification authority (CA). The most known such
companies are Symantec (which bought VeriSign), Comodo, GlobalSign, Go Daddy
etc. Furthermore, we will show in Sect. 2.5 that the PKI also allows Alice and Bob
to sign their letters with digital signatures.
Exercises
1. With the primes given in Example 2.4.1 decide which one of the two numbers
e1 = 2145 and e2 = 3861 can be used as a public key and calculate the matching
private key for it.
2. Alice and Bob agreed to use the RSA cryptosystem to communicate in secret.
Each message consist of a single letter which is encoded as
Bob’s public key is (n, e) = (143, 113) and Alice sent him the message 97. Which
letter did Alice send to Bob in this message?
3. Alice’s public exponent in RSA is e = 41 and the modulus is n = 13337. How
many multiplications mod n does Bob need to perform to encrypt his message
m = 2619? (Do not do the actual encryption, just count.)
4. Set up your own RSA cryptosystem. Demonstrate how a message addressed to
you can be encrypted and how you can decrypt it using your private key.
5. Alice and Bob have the public RSA keys (20687, 17179) and (20687, 4913),
respectively. Bob sent an encrypted message to Alice, Eve found out that the
encrypted message was 353. Help Eve to decrypt the message, suspecting that
the modulus 20687 might be a product of two three-digit primes. Try to do it with
an ordinary calculator first, then check your answer with GAP.
6. Alice and Bob encrypt their messages using the RSA method. Bob’s public key
is (n, e) = (24613, 1003).
(a) Alice would like to send Bob the plaintext m = 183. What ciphertext should
she send?
(b) Bob knows that φ(n) = 24300 but has forgotten his private key d. Help Bob
to calculate d.
(c) Bob has received the ciphertext 16935 from Casey addressed to him. Show
how he finds the original plaintext.
2.4 The RSA Public-Key Cryptosystem 61
There is a very small probability that m will be divisible by p or q but even in this
unlikely case we still have m = (me )d mod n. To prove this we have to consider
(me )d mod p and (me )d mod q separately. Indeed,
e d
m = med = m1+(p−1)(q−1)x = m · m(p−1)(q−1)x
m mod p if gcd(m, p) = 1,
≡
0 mod p if p|m.
since in the first case by Fermat’s Little Theorem m(p−1) ≡ 1 mod p. In both cases
we see that m ≡ (me )d mod p.
Similarly we find (me )d ≡ m mod q. Then the statement follows from the Chinese
Remainder Theorem (Theorem 1.2.6). According to this theorem, there is a unique
integer N in the interval [0, pq) such that N ≡ m mod p and N ≡ m mod q. We have
two numbers with such property, namely m and (me )d mod n. Hence they coincide
and m = (me )d mod n.
We have established that the decrypted message is identical to the message that
was encrypted. This resolves the first issue.
2. To resolve the second issue we considered the computational problem of raising
a number to a power. The complexity of this operation is very low, in fact it is linear
(see Theorem 2.3.2). Hence me mod n and cd mod n can be calculated efficiently.
3. It is evident that if the prime factorisation of the number n in the public key is
known then anybody can compute φ and thus d. In this case encrypted messages are
not secure. But for large values of n the task of factorisation is too difficult and time
consuming to be feasible. So the encryption function (raise to power e mod n) is a
one-way function, with d as a trapdoor.
62 2 Cryptology
To illustrate how secure the system is Rivest, Shamir and Adelman encrypted a
sentence in English. This sentence was converted into a number as we did before
(the only difference was that they denoted a space as “00.” Then they encrypted it
further using e = 9007 and
n = 11438162575788886766932577997614661201021829672124236256256184293
5706935245733897830597123563958705058989075147599290026879543541.
These two numbers were published, and it was made known that n = pq, where
p and q are primes which contain 64 and 65 digits in their decimal representations,
respectively. Also published was the message
f (m) = 9686961375462206147714092225435588290575999112457431987469512093
0816298225145708356931476622883989628013391990551829945157815154.
An award of $100 was offered for decrypting it. This award was only paid 17 years
later, in 1994, when Atkins et al. [3] reported that they had decrypted the sentence.
This sentence—“The magic words are squeamish ossifrage,”—was placed in the title
of their paper. For decrypting, they factored n and found p and q which were
p = 3490529510847650949147849619903898133417764638493387843990820577
and
q = 32769132993266709549961988190834461413177642967992942539798288533.
In this work 600 volunteers participated. They worked 220 h on 1600 computers to
achieve this result! Recently, in 2009, another effort involving several researchers
factored a 232-digit number (RSA-768) utilising hundreds of machines over a span
of two years.6 Of course, doable does not mean practical but for very sensitive
information one would now want to choose primes as large as containing 150 digits
and even more.
It can be shown that finding d is just as hard as factoring n, and it is believed that
finding any trapdoor is as hard as factoring n, although this has not been proven. 30
years have passed since RSA was invented and so far all attacks on RSA have been
unsuccessful.
4. To find e and d we need only the Euclidean and the Extended Euclidean algo-
rithms. Indeed, first we try different numbers between 1 and φ(n) at random until
we find one which is relatively prime to φ(n) (the fact that it can be done quickly we
leave here without proof). This will be taken as e. Since d is the inverse of e modulo
φ(n), we find d using the Extended Euclidean algorithm. This can be done because
the Euclidean algorithm is very fast (Corollary 2.3.1).
5. One may ask: if we cannot factor positive integers efficiently, then surely we
will not be able to say if a number is prime or not. If so, our wonderful system is in
danger because two big primes cannot be efficiently found. However this is not the
case and it is easier to establish if a number is prime or not than to factorise it. We
devote the next section to checking primality.
In the case of RSA it is preferable to use the following encodings for letters:
A B C D E F G H I J K L M
11 12 13 14 15 16 17 18 19 20 21 22 23
N O P Q R S T U V W X Y Z
24 25 26 27 28 29 30 31 32 33 34 35 36
The advantage of it is that a letter always has a two-digit encoding which resolves
some ambiguities. We will use it from now on and, in particular, in exercises.
Exercises
1. In RSA Bob has been using a product of two large primes n and a single public
exponent e. In order to increase security, he now chooses two public exponents
e1 and e2 which are both relatively prime to φ(n). He asks Alice to encrypt her
messages twice: once using the first exponent and then using another one. That
is, Alice is supposed to calculate c1 = me1 (mod n), then c2 = c1e2 (mod n),
and send c2 to Bob. He has also prepared two decryption exponents d1 and d2
for decrypting her messages. Does this double encryption increase security over
single encryption?
2. Eve intercepted the following message from Bob to Alice:
In the public domain Eve learns that this message was sent using the encryption
modulus n = pq = 30796045883. She also observes that Alice’s public key
is e = 48611. Decode the message which was encoded using the encodings
A = 11, B = 12, . . . , Z = 36.
3. Eve has intercepted the following message from Bob to Alice
[ 427849968240759007228494978639775081809,
498308250136673589542748543030806629941,
925288105342943743271024837479707225255,
95024328800414254907217356783906225740 ]
She knows Bob used the RSA cryptosystem with the modulus
64 2 Cryptology
n = 956331992007843552652604425031376690367
and that Alice’s public exponent is e = 12398737. She also knows that, to convert
their messages into numbers, Bob and Alice usually use the encodings: space =
00, A = 11, B = 12, . . . , Z = 36. Help Eve to break the code and decrypt the
message.
In this section we will discuss four probabilistic tests that might be used for testing the
compositeness of integers. Their sophistication and quality will gradually increase,
and only the last one will be practical.
By a pseudoprimality test we mean a test that is applied to a pair of integers (b, n),
where 2 ≤ b ≤ n − 1, and that has the following characteristics:
(a) The possible outcomes of the test are: “n is composite” or “inconclusive”.
(b) If the test reports “n is composite” then n is composite.
(c) The test runs in a time that is polynomial in log n (i.e., in the number of bits
necessary to input n).
If n is prime, then the outcome of the test will be “inconclusive” for every b. If the
test result is “inconclusive” for one particular b, then we say that n is a pseudoprime
to the base b (which means that n is so far acting like a prime number).
The outcome of the test for the primality of n depends on the base b that is chosen.
In a good pseudoprimality test there will be many bases b that will reveal that n is
composite in case it is composite. More precisely, a good pseudoprimality test will,
with high probability (i.e., for a large number of choices of the base b) declare that
a composite number n is composite. More formally, we define
said that a given integer n is very probably prime if it was subjected it to a good
pseudoprimality test, with a large number of different bases b, and have found that
it is pseudoprime to all of those bases.
Here are four examples of pseudoprimality tests, only one of which is good.
Test 1. Given b, n. Output “n is composite” if b divides n, else “inconclusive.”
If n is composite, the probability that it will be so declared is the probability that
we happen to have found an integer b that divides n. The probability of this event, if
b is chosen at random uniformly from [2, n − 1], is
d(n) − 2
p(n) = ,
n−2
where d(n) is the number of divisors of n. Certainly p(n) is not bounded from below
by a positive constant t, if n is composite. Indeed, if ni = p2i , where pi is the ith
prime, then d(ni ) = 3, and
1
p(ni ) = →0
ni − 2
4 2
p(n) = = .
42 21
Test 2. Given b, n, where 2 ≤ b ≤ n−1. Output “n is composite” if gcd(b, n) = 1,
else output “inconclusive.”
This test runs in linear time and it is a little better than Test 1, but not yet good.
If n is composite, the number of bases b for which Test 2 will produce the result
“composite” is n − φ(n) − 1, where φ is the Euler totient function. Indeed, we have
φ(n) numbers b that are relatively prime to n; for those numbers b and only for those
we have gcd(b, n) = 1. We also have to exclude b = n which is outside of the range.
Hence the probability of declaring a composite n composite will be
n − φ(n) − 1
p(n) = .
n−2
For this test the number of useful bases will be large if n has some small prime
factors, but in that case it is easy to find out that n is composite by other methods.
If n has only a few large prime factors, say if n = p2 , then the proportion of useful
bases is very small, and we have the same kind of inefficiency as in Test 1. Indeed,
if ni = p2i , then φ(ni ) = pi (pi − 1) and
ni − φ(ni ) − 1 p2 − pi (pi − 1) − 1 pi − 1 1
p(ni ) = = i 2
= 2 ∼ →0
ni − 2 pi − 2 pi − 2 pi
66 2 Cryptology
if pi → ∞.
Example 2.4.3 Suppose n = 44 = 22 · 11. Then φ(n) = 44 1 − 21 1 − 1
11 = 20,
and
44 − 20 − 1 23
p(n) = = .
42 42
Test 3. Given b, n. If b and n are not relatively prime or if bn−1 ≡ 1 mod n then
output “n is composite”, else output “inconclusive”.
This test rests on Fermat’s Little Theorem. Indeed, if gcd(b, n) > 1 or gcd(b, n) =
1 and bn−1 ≡ 1 mod n, then n cannot be prime since, if n was prime, by Fermat’s
Little Theorem in the latter case we must have bn−1 ≡ 1 mod n. It also runs in linear
time if we use the Square and Multiply algorithm to calculate bn−1 , and it works
much better than the previous two tests.
Example 2.4.4 To see how this test works let us calculate 232 mod 33. We obtain:
561, 1105, 1729, 2465, 2821, 6601, 8911, 10585, 15841, 29341 . . .
Despite such occasional misbehaviour, the test usually seems to perform quite
well. When n = 169 (a difficult integer for tests 1 and 2) it turns out that there
are 158 different b’s in [2, 168] that produce the “composite” outcome from Test 3,
namely every such b except for 19, 22, 23, 70, 80, 89, 99, 146, 147, 150, 168.
Finally, we will describe a good pseudoprimality test. The idea was suggested in
1976 by Miller (see the details in [5]).
However, by (a) and (b) every bracket is non-zero modulo n. Hence there are zero
divisors in Zn which contradicts the primality of n. This means that if the test outputs
“composite”, the number n is composite.
What is the computational complexity of this test? By Theorem 2.3.3, part (a) of
the test can be done in O(log n) divisions with remainder, and the complexity of this
is at most linear. Similarly, in part (b) of the test there are O(log n) possible values
of i to check, and for each of them we do a single multiplication of two integers
i i−1 i−1
calculating b2 t = b2 t · b2 t , each of which has O(log n) bits. Hence the overall
complexity is still linear.
This means that Test 4 is a good pseudoprimality test and, if we choose b at random
to prove the compositeness of n, then we will find the required b with probability
greater than 3/4. Hence we can set t = 3/4. The proof of this result cannot be
considered in this book.
Example 2.4.5 If n = 169, then it turns out that for 157 of the possible 167 bases b
in [2, 168] Test 4 will output “169 is composite”. The only bases b that 169 can fool
are 19, 22, 23, 70, 80, 89, 99, 146, 147, 150, 168. In this case the performance of
Test 4 and of Test 3 are identical. However, there are no analogues of the Carmichael
numbers for Test 4.
How can this pseudoprimality test be used to find large primes? Suppose that you
want to generate an n-digit prime. You generate an arbitrary n-digit number r and
subject it to a good pseudoprimality test (for example, Rabin–Miller Test) repeating
the test several times. Suppose that we have done k runs of Test 4 with different
68 2 Cryptology
random b’s and each time got the answer ‘inconclusive’. If r is composite, then the
probability that we get the answer “inconclusive” once is less than 1/4. If we run
this test k times, the probability that we get the answer “inconclusive” k times is less
than 1/4k . For k = 5 this probability is less than 10−3 . For k = 10 it is less than
10−6 , which is a very small number already. Since Test 4 performs very quickly we
may run this test 100 times. If we got the answer “inconclusive” all 100 times, the
probability that n is composite is negligible.
In 2002 Agrawal et al. [6] came up with a polynomial deterministic algorithm
(AKS algorithm) for primality testing. It is based on the following variation of Fer-
mat’s Little Theorem for polynomials:
Theorem 2.4.2 Let gcd(a, n) = 1 and n > 1. Then n is prime if and only if
(x − a)n ≡ (x n − a) mod n.
The authors received the 2006 Gödel Prize and the 2006 Fulkerson Prize for this work.
Originally the AKS algorithm had complexity O((log n)12 ), where n is the number
to be tested, but in 2005 C. Pomerance and H.W. Lenstra, Jr. demonstrated a variant
of AKS algorithm that runs in O((log n)6 ) operations, a marked improvement over
the bound in the original algorithm. Despite all the efforts it is still not yet practical,
but a number of researchers are actively working on improving this algorithm. See
[7] for more information on the algorithm and a proof of Theorem 2.4.2.
Exercises
1. We implement the first and the second pseudoprimality tests by choosing at ran-
dom b in the interval 1 < b < n and applying it to the pair (b, n).
(a) What is the probability that the first pseudoprimality test finds that 91 is
composite?
(b) What is the probability that the second pseudoprimality test finds that 91 is
composite?
2. Show that the third pseudoprimality test finds that 91 is composite for the pair
(5, 91).
n
3. Prove that any number Fn = 22 + 1 is either a prime or a pseudoprime to the
base 2. (Use Exercise 4 in Sect. 1.1.1.)
4. Write a GAP program that checks if a number n is a Carmichael number. Use it
to find out if the number 15841 is a Carmichael number.
5. Prove without using GAP that 561 is a Carmichael number, i.e., a560 ≡ 1 mod 561
for all a relatively prime to 561.
6. Show that 561 is a pseudoprime to the base 7 (i.e., n = 561 passes the Third
Pseudoprimality Test with b = 7) but not a pseudoprime to the base 7 relative to
the Miller–Rabin test.
7. Show that the Miller–Rabin test with b = 2 proves that n = 294409 is composite
(despite 294409 being a Carmichael number).
8. Show that a power of a prime is never a Carmichael number.
2.5 Applications of Cryptology 69
where eU and dU are the public exponent and the private exponent of user U, respec-
tively. One can turn this around to obtain a digital signature. If m is a document which
is to be signed by the user U, then she computes her signature as s = DU (m). The
user sends m together with the signature s. Anyone can now verify the signature by
testing whether EU (s) ≡ m mod NU or not.
This idea was first proposed by Diffie and Hellman [8]. The point is that if the
message m was changed then the old signature would be no longer valid, and the
only person who can create a new signature, matching the new message, should be
someone who knows the private key DU and we assume that only user U possess
DU .
By analogy with the paper world, where Alice might sign a letter and seal it in an
envelope addressed to Bob, Alice can sign her electronic letter m to Bob by appending
her digital signature DA (m) to m, and then seal it in an “electronic envelope” with
Bob’s address by encrypting her signed message with Bob’s public key, sending
70 2 Cryptology
the resulting message EB (m|DA (m)) to Bob. Only Bob can open this “electronic
envelope” by applying his private key to it to obtain DB (EB (m|DA (m))) = m|DA (m).
After that he will apply Alice’s public key to the signature obtaining EA (DA (m)). On
seeing that EA (DA (m)) = m, Bob can be really sure that the message m came from
Alice and its content was not altered by a third party.
These applications of public-key technology to electronic mail are likely to
become widespread in the near future. For simplicity, we assumed here that the
message m was short enough to be transmitted in one piece. If the message is long
there are methods to keep the signature short. We will not dwell on this here.
3. Pay-per-view movies. It is common these days that cable TV operators with all-
digital systems encrypt their services. This lets cable operators activate and deactivate
a cable service without sending a technician to your home. The set-up involves each
subscriber having a set-top box, which is a device connected to a television set at the
subscribers’ premises and which allows a subscriber to view encrypted channels of
his choice on payment. The set-top box contains a set of private keys of the user. A
‘header’ broadcast in advance of the movie contains keys sufficient to download the
actual movie. This header is in turn encrypted with the relevant user public keys.
4. Friend-or-foe identification. Suppose A and B share a secret key K. Later, A
is communicating with someone and he wishes to verify that he is communicating
with B. A simple challenge-response protocol to achieve this identification is as
follows:
• A generates a random value r and transmits r to the other party.
• The other party (assuming that it is B) encrypts r using their shared secret key K
and transmits the result back to A.
• A compares the received ciphertext with the result he obtains by encrypting r
himself using the secret key K. If the result agrees with the response from B, A
knows that the other party is B; otherwise he assumes that the other party is an
impostor.
This protocol is generally more useful than the transmission of an unencrypted shared
password from B to A, since the eavesdropper could learn the password and then pre-
tend to be B later. With the challenge-response protocol an eavesdropper presumably
learns nothing about K by hearing many values of r encrypted with K as key.
An interesting exercise is to consider whether the following variant of the above
idea is secure: A sends the encryption of a random r, B decrypts it and sends the
value r to A, and A verifies that the response is correct.
Exercises
1. Alice and Bob agreed to use Diffie–Hellman secret key exchange to come up with
a secret key for their secret key cryptosystem. They openly agreed on the prime
p = 100140889442062814140434711571
2.5 Applications of Cryptology 71
nA = 171024704183616109700818066925197841516671277, eA = 1571,
nB = 839073542734369359260871355939062622747633109, eB = 87697.
pB = 8495789457893457345793, qB = 98763457697834568934613.
m1 = 119570441441889749705031896557386843883475475,
s1 = 443682430493102486978079719507596795657729083
and sends the pair (m1 , s1 ) to Bob. Show how Bob can find the message m and
verify that it came from Alice. (Do not try to convert digits of m into letters, the
message is meaningless.)
References
1. Lenstra, A.K., Lenstra, H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Pro-
ceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, pp. 564–
572,14–16 May 1990
2. Rivest, R.L., Shamir, A., Adelman, L.: A method for obtaining digital signatures and public key
cryptosystems. Commun. ACM 21(2), 120–126 (1978)
3. Atkins, D., Graff, M., Lenstra, A.K., Leyland, P.C.: The magic words are squeamish ossifrage.
In: ASIACRYPT-94, Lecture Notes in Computer Science. vol. 917. Springer, New York (1995)
4. Alford, W.R., Granville, A., Pomerance, C.: There are infinitely many Carmichael numbers.
Ann. Math. 140, 703–722 (1994)
5. Williams, H.C.: Primality testing on a computer. Ars Combinatoria 5, 127–185 (1978)
6. Agrawal, M., Kayal, N., Saxena, N.: Primes is in P. Department of Computer Science and
Engineering, Indian Institute of Technology, Kanpur, India, 6 August 2002
7. Song., Y.Y.: Primality Testing and Integer Factorization in Public-key Cryptography. Kluwer,
The Netherlands (2004)
8. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory IT 22, 644–
654 (1976)
9. Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires. 9, 5–83 (1883)
Chapter 3
Groups
3.1 Permutations
convention. The great advantage of writing the composition in this way is that it is
the same convention as the one used in GAP.
One of the properties of composition of major importance is its compliance with
the associative law.
Proposition 3.1.1 Composition of mappings is associative, that is, given sets A, B,
C, D and mappings f : A → B, g : B → C and h : C → D, we have
(f ◦ g) ◦ h = f ◦ (g ◦ h).
Proof Two mappings from A to D are equal when they assign exactly the same
images in D to every element in A. Let us calculate the image of a ∈ A first under
the mapping (f ◦ g) ◦ h and then under f ◦ (g ◦ h):
The image of a under both mappings is the same. Since a ∈ A was arbitrary, the two
mappings are equal. �
where id is the identity mapping on A. In this case f and g are called mutual inverses
and we use the notation g = f −1 and f = g −1 to express that. Equation (3.1) means
that g maps f (a) to a while f maps g(a) to a, i.e., g undoes the work of f , and f
undoes the work of g.
Example 3.1.1 Let R+ be the set of positive real numbers. Let f : R+ → R and
g : R → R+ be given as f (x) = ln x and g(x) = ex . These are mutual inverses and
hence both functions are invertible.
In what follows we assume that the set A is finite and consider mappings from A
into itself. If A has n elements, for convenience, we assume that the elements of A
are the numbers 1, 2, . . . , n (the elements of any finite set can be labeled with the
first few integers, so this does not restrict generality).
Since a function is specified if we indicate what the image of each element is, we
can specify a permutation π by listing each element together with its image, like so:
1 2 3 ······ n − 1 n
π= .
π(1) π(2) π(3) · · · · · · π(n − 1) π(n)
Given that π is one-to-one, no number is repeated in the second row of the array.
Given that π is onto, each number from 1 to n appears somewhere in the second row.
In other words, the second row is just a rearrangement of the first.1
1 2 3 4 5 6 7
Example 3.1.2 π = is the permutation of degree 7 which
2 5 3 1 7 6 4
maps 1 to 2, 2 to 5, 3 to 3, 4 to 1, 5 to 7, 6 to 6, and 7 to 4.
Example 3.1.3 The mapping σ : {1, 2, . . . , 6} → {1, 2, . . . , 6} given by σ(i) =
3i mod 7 is a permutation of degree 6. Indeed,
and thus
1 2 3 4 5 6
σ= .
3 6 2 5 1 4
Then
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
σπ =
2 4 5 6 1 8 3 7 4 6 1 3 8 5 7 2
1 2 3 4 5 6 7 8
= ,
6 3 8 5 4 2 1 7
1 Clearly, in this case of finite sets, one-to-one implies onto and vice versa but this will no longer be
and
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
πσ =
4 6 1 3 8 5 7 2 2 4 5 6 1 8 3 7
1 2 3 4 5 6 7 8
= .
6 8 2 5 7 1 3 4
Important Note: the example shows clearly that πσ = σπ, that is, the commuta-
tive law for permutations does not hold; so we have to be very careful about the order
of the factors in a product of permutations. But the good news is that the composition
of permutations is associative. This follows from Proposition 3.1.1.
We can also calculate the inverse of a permutation; for example, using the same
π as above, we find
1 2 3 4 5 6 7 8
π −1 = .
3 8 4 1 6 2 7 5
Explanation: just read the array for π from the bottom up: since π(1) = 4, we must
have π −1 (4) = 1, hence write 1 under the 4 in the array for π −1 , since π(2) = 6, we
must have π −1 (6) = 2, hence write 2 under the 6 in the array for π −1 , etc. In this
case we will indeed have ππ −1 = id = π −1 π.
Similarly, we calculate
−1 1 2 3 4 5 6 7 8
σ = .
5 1 7 2 3 4 8 6
3.1 Permutations 77
Simple algebra shows that the inverse of a product can be calculated from the product
of the inverses (but note how the order is reversed!):
(πσ)−1 = σ −1 π −1 . (3.2)
To justify this, we need only to check that the product of πσ and σ −1 π −1 equals the
identity, and this is pure algebra: it follows from the associative law that
Definition 3.1.2 The set of all permutations of degree n with the operation of com-
position is called the symmetric group of degree n, and is denoted by Sn .
1. In the following two cases calculate f ◦ g and g ◦ f . Note that they are different
and even their natural domains are different.
(a) f (x) = sin x and g(x) =
√ 1/x;
(b) f (x) = ex and g(x) = x.
2. Let Rθ be an anticlockwise rotation of the plane about the origin through an
angle θ. Show that Rθ is invertible with the inverse R2π−θ .
3. Show that any reflection H of the plane in any line is invertible and the inverse
of H is H itself.
4. Determine how many permutations of degree n act identically on a fixed set of
k elements of {1, 2, . . . , n}.
5. Show that the mapping σ : {1, 2, . . . , 8} → {1, 2, . . . , 8} given by σ(i) =
5i mod 9 is a permutation by writing it down in the form of a table.
6. Let the mapping π : {1, 2, . . . , 12} → {1, 2, . . . , 12} be defined by π(k) =
3k mod 13. Show that π is a permutation of S12 .
2 Évariste Galois (1811–1832), a French mathematician who was the first to use the word “group”
(French: groupe) as a technical term in mathematics to represent a group of permutations. While
still in his teens, he was able to determine a necessary and sufficient condition for a polynomial to
be solvable by radicals, thereby solving a long-standing problem. His work laid the foundations for
Galois theory, a major branch of abstract algebra.
78 3 Groups
9. Let
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9
σ= , γ= .
2 4 5 6 1 9 8 3 7 6 2 7 9 3 8 1 4 5
which means the symbols of the message are permuted in accord with the permutation
π. If the message is longer than n we split it into smaller segments of length n. (It
is always possible to add some junk letters to make the total length of the message
divisible by n.)
3 J.
Daemen and V. Rijmen. The block cipher Rijndael, Smart Card Research and Applications,
LNCS 1820, Springer–Verlag, pp. 288–296.
80 3 Groups
whilst the ones in the bracket are mapped to the one listed to the right, except the
rightmost one, which is mapped to the leftmost on the list.
Note: cycle notation is not unique, since there is no beginning or end to a circle.
We can write π = (5 4 7 2) and π = (2 5 4 7), as well as π = (4 7 2 5) and
π = (7 2 5 4)—they all denote one and the same cycle.
We say that a permutation is a cycle of length k (or a k-cycle) if it moves k numbers.
For example, (3 6 4 9 2) is a 5-cycle, (3 6) is a 2-cycle, (1 3 2) is a 3-cycle. We note
also that the inverse of a cycle is again a cycle. For example (1 2 3)−1 = (1 3 2) (or
(3 2 1) if you prefer). Similarly, (1 2 3 4 5)−1 = (1 5 4 3 2). To find the inverse of
a cycle one has to reverse the arrows. This leads us to the following
Theorem 3.1.2 (i1 i2 i3 . . . ik )−1 = (ik ik−1 . . . i2 i1 ).
Not all permutations are cycles; for example, the permutation
1 2 3 4 5 6 7 8 9 10 11 12
σ= (3.3)
4 3 2 11 8 9 5 6 7 10 1 12
σ σ σ
is not a cycle (we have 1 → 4 → 11 → 1, but the other elements are not all
σ σ
fixed (2 goes to 3, for example). Let us chase other elements. We find: 2 → 3 → 2
σ σ σ σ σ
and 5 → 8 → 6 → 9 → 7 → 5. So in the permutation σ three cycles coexist
peacefully.
Two cycles (i1 i2 i3 . . . ik ) and (j1 j2 j3 . . . jm ) are said to be disjoint, if the sets
{i1 , i2 , . . . , ik } and {j1 , j2 , . . . , jm } have empty intersection. For instance, we may say
that
(1 5 8) and (2 4 3 6 9)
are disjoint. Any two disjoint cycles σ and τ commute, i.e., στ = τ σ (see Exercise 1).
For example,
(1 2 3 4)(5 6 7) = (5 6 7)(1 2 3 4).
However, if we multiply any cycles which are not disjoint, we have to watch their
order; for example: (1 2)(1 3) = (1 2 3), whilst (1 3)(1 2) = (1 3 2), and
(1 3 2) = (1 2 3).
The relationship between a cycle and the permutation group it belongs to is much
like that between a prime and the natural numbers.
any element of the set {i1 , i2 , . . . , ik } and acts as σ on the complement of this set. So
σ fixes strictly more elements than σ does. This operation can be now applied to σ
and so on. It will terminate at some stage and at that moment σ will be represented
as a product of disjoint cycles. �
Exercises
1. Explain why any two disjoint cycles commute.
2. Let the mapping π : {1, 2, . . . , 12} → {1, 2, . . . , 12} be defined by π(k) =
3k mod 13. This is a permutation, don’t prove this. Find the decomposition
of π into disjoint cycles.
3. Calculate the following product of permutations in S5
Calculate (στ )−1 and represent the result as a product of disjoint cycles.
Definition 3.1.3 Let π be a permutation. The smallest positive integer i such that
π i = id is called the order of π.
It is not immediately obvious that any permutation has an order. We will see later
that this is indeed the case.
82 3 Groups
Example 3.1.7 Let us calculate the order of the permutation π = (1 2)(3 4 5). We
have:
π = (1 2)(3 4 5),
π 2 = (3 5 4),
π 3 = (1 2),
π 4 = (3 4 5),
π 5 = (1 2)(3 5 4),
π 6 = id.
So the order of σ is 2 · 3 = 6 (note that π has been given as a product of two disjoint
cycles with relatively prime lengths).
Example 3.1.8 The order of permutation ρ = (1 2)(3 4 5 6) is four. To see this let
us calculate
ρ = (1 2)(3 4 5 6),
ρ2 = (3 5)(4 6),
ρ3 = (1 2)(3 6 5 4),
ρ4 = id.
So the order of σ is 4 (note that ρ has been given as a product of disjoint cycles but
their lengths were not coprime).
More generally, this suggests that the order of a product of disjoint cycles equals
the least common multiple of the lengths of those cycles. We will upgrade this
suggestion into a theorem.
The powers of cycles τ1m , τ2m , . . ., τrm act on disjoint sets of indices and, since
σ m = id, it must be τ1m = τ2m = · · · = τrm = id. For if not, and τsm (i) = j with
i = j, then the product τ1m τ2m . . . τrm cannot be equal to id because all permutations
τ1m , . . . , τs−1
m , τ m , . . . , τ m leave i and j invariant. Thus the order of σ is a multiple
s+1 r
of each of the k1 , k2 , . . . , kr and hence a multiple of the least common multiple of
them. Thus the order of σ is not smaller than lcm (k1 , k2 , . . . , kr ). This proves the
theorem. �
is lcm(4, 3, 2, 3, 5) = 60. Before applying the formula (3.4) we must carefully check
that the cycles are disjoint.
we represent it as
σ = (1 4 11)(2 3)(5 8 6 9 7),
Exercises
At first it is obvious whose turn it was to be killed. Initially, the men in positions
3, 6, 9, 12, . . . , 39 were killed. The next man to be killed was in position 1 and
then in position 5 (since the man in position 3 was slaughtered earlier), and so on.
Josephus (according to the story) instantly figured out where he ought to stand
in order to be the last man to go. When the time came, instead of killing him-
self, he surrendered to the Romans and lived to write his famous histories: “The
Antiquities” and “The Jewish War”.
(a) Find the permutation σ (called the Josephus permutation) for which σ(i) is
the number of the man who was ith to be killed.
(b) In which position did Josephus stand around the circle?
(c) Find the cyclic structure of the Josephus permutation.
(d) What is the order of the Josephus permutation?
(e) Calculate σ 2 and σ 3 .
3. The mapping π(i) = 13i mod 23 is a permutation of S22 (do not prove this). Find
the decomposition of π into a product of disjoint cycles and determine the order
of this permutation.
a1 a2 a3 . . . a2n−1 a2n .
We split the deck into two halves which contain the cards a1 , a2 , . . . , an and
an+1 an+2 , . . . , a2n , respectively. Then we interlace them as follows. We put the first
card of the second pile first, then the first card of the first pile, then the second card of
the second pile, then the second card of the first pile etc. This is called the interlacing
shuffle. After this operation the order of cards will be:
in correspondence to this shuffle. All it says is that the first card goes to the second
position, the second card is moved to the fourth position, etc. We see that we can
define this permutation by the formula:
σn (i) = 2i mod 2n + 1
and σn (i) is the position of the ith card after the shuffle. What will happen after
2, 3, 4, . . . shuffles? The resulting change will be characterized by the permutations
σn2 , σn3 , σn4 , . . . , respectively.
The order of σ4 is 6.
Also σ510 = id and 10 is the order of σ5 . Hence all cards will be back to their initial
positions after 10 shuffles but not before.
Let us deal with the real thing that is the deck of card of 52 cards. We know that
the interlacing shuffle is defined by the equation σ26 (i) = 2i mod 53. GAP helps us
to investigate. We have:
gap> lastrow:=[1..52];;
gap> for i in [1..52] do
> lastrow[i]:=2*i mod 53;
> od;
gap> lastrow;
[ 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34, 36, 38, 40,
42, 44, 46, 48, 50, 52, 1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27,
29, 31, 33, 35, 37, 39, 41, 43, 45, 47, 49, 51 ]
gap> PermList(lastrow);
(1,2,4,8,16,32,11,22,44,35,17,34,15,30,7,14,28,3,6,12,24,48,43,33,13,26,52,51,
49,45,37,21,42,31,9,18,36,19,38,23,46,39,25,50,47,41,29,5,10,20,40,27)
gap> Order(last);
52
Thus the interlacing shuffle σ26 is a cycle of length 52 and has order 52.
Exercises
1. A shuffle of a deck of 15 cards is made as follows. The top card is put at the bottom,
the deck is cut into three equal decks, the bottom third is switched with the middle
86 3 Groups
third, and then the resulting bottom card is placed on the top. How many times
must this shuffle be repeated to get the cards back in the initial order? Write
down the permutation corresponding to this shuffle and find its decomposition
into disjoint cycles.
2. Use GAP to determine the decomposition into disjoint cycles and the order of the
interlacing shuffle σ52 for the deck of 104 cards which consists of two copies of
ordinary decks with 52 cards in each.
3. On a circle there are n beetles. At a certain moment they start to move all at once
and with the same speed (but maybe in different directions). When two beetles
meet, both of them reverse their directions and continue to move with the same
speed. Prove that there will be a moment when all beetles again occupy their
initial positions. (Hint: Suppose one beetle makes the full circle in time t. Think
about what will happen after time t when all beetles move.)
Cycles of length 2 are the simplest permutations, as they move only two elements.
We define
Example 3.1.13 (1 2 3 4 5) = (1 2)(1 3)(1 4)(1 5) (just check that the left-hand
side equals the right-hand side!).
Example 3.1.15 Note that there are many different ways to write a permutation as
product of transpositions; for example, (1 2 3 4 5) can be written in any of the
following forms
(Don’t ask how these products were found! The point is to check that all these
products are equal, and to note that there is nothing unique about how one can write
a permutation as a product of transpositions.)
since all brackets will remain except (xi − xi+1 ), which will become (xi+1 − xi ) =
−(xi − xi+1 ), so we will have one change of sign.
Arguing by induction we suppose that (3.6) is true for all permutations π = (i j)
for which |j − i| < . Suppose now that |j − i| = . Since
Example 3.1.19 We can have a look at the elements of S4 , listing all of them, checking
which of them are even and which of them are odd.
The elements in the first two lines are even permutations, and the remaining elements
are odd. We have
Exercises
as products of transpositions.
2. What would be the parity of the product of 11 odd permutations?
3. Let π, ρ ∈ Sn be two permutations. Prove that π and ρ−1 πρ have the same parity.
4. Let π, ρ ∈ Sn be two permutations. Prove that π −1 ρ−1 πρ is an even permutation.
5. Determine the parity of the permutation σ of order n such that σ(i) = n + 1 − i.
3.1.7 Puzzle 15
We close this section with a few words about a game played with a simple toy. This
game seems to have been invented in the 1870s by the famous puzzle-maker Sam
Loyd. It caught on and became all the rage in the United States in the 1870s, and
finally led to a discussion by W. Johnson in the scholarly journal, the American
Journal of Mathematics, in 1879. It is often called the 15-puzzle.
Consider a toy made up of 16 squares, numbered from 1 to 15 inclusive and with
the lower right-hand corner blank.
1 2 3 4
5 6 7 8
9 10 11 12
13 14 15
90 3 Groups
The toy is constructed so that the squares can be slid vertically and horizontally,
such moves being possible because of the presence of the blank square. Start with
the position shown above and perform a sequence of slides in such a way that, at
the end, the lower right-hand square is again blank. Call the new position realisable.
The natural question is: How can we determine whether or not the given position is
realisable?
What do we have here? After a sequence of slides we have shuffled the numbers
from 1 to 15; that is, we have effected a permutation of the numbers from 1 to 15. To
ask which positions are realisable is merely to ask which permutations can be carried
out. This is a permutation of S16 since the blank square also moves in the process. In
other words, in S16 , the symmetric group of degree 16, which permutations can be
reached via the toy? For instance, can the following position
13 4 12 15
1 14 9 6
8 3 2 7
10 5 11
be realised?
We will denote the empty square by the number 16. The position will be then
a1 a2 a3 a4
a5 a6 a7 a8
1 3 5 7
9 11 13 15
2 4 6
8 10 12 14
3.1 Permutations 91
If we make a move pulling down the square 13, then the new position will be
1 3 5 7
9 11 15
2 4 13 6
8 10 12 14
We observethe rule the permutation changes: when we swap the square with the
number i on it with the neighboring empty square, the permutation is being multiplied
on the right by the transposition (i 16).
If the empty square was initially in the right bottom corner, then m is even and σ is
even.
from which we see that the parity of σ is the same as the parity of m.
Let us colour the board in the chessboard pattern.
92 3 Groups
Every move changes the colour of the empty square. Thus if at the beginning and
at the end the empty square was black, then there was an even number of moves made.
Therefore, if initially the right bottom corner was empty and we could transform this
position to the initial position, then an even number of moves was made, m is even,
and σ is also even. �
It can be shown that every position, with an even permutation σ can be transformed
to the initial position, but no easy proof is known.
Exercises
14 10 13 12 10 14 13 12
6 11 9 8 6 11 9 8
7 3 5 1 7 3 5 1
4 15 2 4 15 2
show that one of them is realisable and one is not without writing down the
corresponding permutations and determining their parities.
2. For each of the following arrangements of the 15-puzzle determine the parity of
the corresponding permutation.
1 3 2 4 13 5 3
6 5 7 8 9 2 7 10
9 13 15 11 1 15 14 8
14 10 12 12 11 6 4
Surprisingly many objects in mathematics satisfy the same properties as the symmet-
ric groups defined in Definition 3.1.2. There is good reason to study all such objects
simultaneously. For this purpose we introduce the concept of a general group.
(a ∗ b) ∗ c = a ∗ (b ∗ c) for all a, b, c ∈ G.
(This element is often also denoted by 1, or, if the group operation is written as
addition, it is usually denoted by 0.)
3. Every element of G possesses an inverse; i.e., given g ∈ G there exists a unique
element h in G such that
The element h is called the inverse of g, and denoted by g −1 (when the operation
is written as addition, the inverse is usually denoted by −g).
We denote this group (G, ∗), or simply G, when this invites no confusion. A group
G in which the commutative law holds (a ∗ b = b ∗ a for all a, b ∈ G) is called a
commutative group or an abelian group.
In any group (G, ∗) we have the familiar formula for the inverse of the product
Example 3.2.1 We established in the previous sections that Sn is a group, the opera-
tion being multiplication of permutations (i.e., composition of functions). This group
is not abelian.
Example 3.2.2 Here is an example where the group operation is written as addi-
tion: Zn is an abelian group under addition ⊕ modulo n. This was established in
Theorem 1.4.1.
94 3 Groups
Example 3.2.3 Z∗n (the set of invertible elements in the ring Zn ) is a group under
multiplication modulo n. In particular, Z∗8 = {1, 3, 5, 7} with 3−1 = 3, 5−1 = 5,
7−1 = 7.
When we talk about a group it is important to be clear about the group operation;
either it must be explicitly specified, or the group operation must be clear from
the context and tacitly understood. The following are cases where there is a clear
understanding of the operation, so it will often not be made explicit. Most important
are:
• When we talk about the group Zn we mean the set of integers modulo n under
addition modulo n.
• When we talk about the group Z∗n we mean the set of invertible elements of the
ring Zn under multiplication modulo n.
Normally, when making general statements about groups, we write the statements
in multiplicative notation; but it is important to be able to apply them also in situations
where the group operation is written as addition (some obvious modifications must
be made).
Definition 3.2.2 Let G be a group and e be its identity element. The number of
elements of G is called the order of G and is denoted |G|.
Exercises
1. Show that division a b = a/b is a binary operation on R\{0}. Show that it is not
associative.
2. Show that a b = ab is a binary operation on the set R+ of positive real numbers.
Show that it does not have a neutral element.
3. Let Cn be the set of all complex numbers satisfying the equation zn = 1. Prove
that this is an abelian group of order n.
4. Prove that the set GLn (R) of all invertible n × n matrices is a non-abelian group.
5. Prove that for four arbitrary elements g1 , g2 , g3 , g4 of a group G (where the
operation is written as multiplication)
List all possible arrangements of brackets on the product g1 g2 g3 g4 and show that
the result will be always the same so that we can write
g1 g2 g3 g4
for all of them without confusion. Finally you may try to prove that a product
g1 g2 . . . g n
Since we know that the product g1 g2 . . . gn is independent of the way in which these
elements are associated, it becomes clear that the usual law of exponents g i g j = g i+j
holds (totally obvious in the case where both i and j are positive, and still trivial in
all other cases). The set of all powers of g ∈ G we denote by < g >.
The usual law of multiples mg + ng = (m + n)g also holds. The set of all
multiples of g ∈ G we also denote by < g >.
In the following corollary we find a link between the two concepts of ‘order’. It
is often useful since we can decide whether a group is cyclic or not by looking at the
orders of its elements.
Example 3.2.7 Z∗8 is NOT a cyclic group, because |Z∗8 | = φ(8) = 4 and there is no
element of order 4 in this group (indeed, check that they all have order 2).
lcm(i, n) in n
k= = = .
i igcd(i, n) gcd(i, n)
121 121
ord (110) = = = 11.
gcd(121, 110) 11
Exercises
3.2.3 Isomorphism
A single group may have several very different presentations. To deal with this
problem mathematics introduces the concept of isomorphism.
98 3 Groups
Definition 3.2.7 Let G and H be two groups with operations ∗ and ◦, respectively.
An onto and one-to-one mapping σ : G → H is called an isomorphism if
for all g1 , g2 ∈ G.
What it says is that if we rename the elements of H appropriately and change the
name for the operation in H, we will obtain the group G. If two groups G and H are
isomorphic, we write G ∼ = H. The equation (3.9) written as
g1 ∗ g2 = σ −1 (σ(g1 ) ◦ σ(g2 ))
The famous slide rule—a commonly used calculation tool in science and engineering
before electronic calculators became available—was based on this isomorphism.
Z4 Z∗5
⊕ 0 1 2 3 1 2 3 4
0 0 1 2 3 1 1 2 3 4
1 1 2 3 0 2 2 4 1 3
2 2 3 0 1 3 3 1 4 2
3 3 0 1 2 4 4 3 2 1
We may observe that the first table can be converted into the second one if we
make the following substitution:
0 → 1, 1 → 2, 2 → 4, 3 → 3
(check it right now). Therefore this mapping, let us call it σ, from Z4 to Z∗5 is an
isomorphism. The mystery behind this mapping is clarified if we notice that we
actually map
3.2 General Groups 99
0 → 20 , 1 → 21 , 2 → 22 , 3 → 23 .
Then the isomorphism property (3.9) follows from the formula 2i 2j = 2i⊕j .
Before continuing with the study of isomorphisms we make a useful observation:
in any group G the only element that satisfies g 2 = g is the identity element. Indeed,
multiplying this equation by g −1 we get g = e.
Proposition 3.2.1 Let (G, ∗) and (H, ◦) be two groups and e be the identity element
of G. Let σ : G → H be an isomorphism of these groups. Then σ(e) is the identity
of H.
Theorem 3.2.2 Let (G, ∗) and (H, ◦) be two groups and σ : G → H be an isomor-
phism. Then σ −1 : H → G is also an isomorphism.
for all h1 , h2 ∈ H. For this reason we apply σ to both sides of this equation. As
σσ −1 = idG and σ −1 σ = idH , and due to (3.9)
σ(σ −1 (h1 ◦ h2 )) = h1 ◦ h2 ,
σ(σ −1 (h1 ) ∗ σ −1 (h2 )) = σ(σ −1 (h1 )) ◦ σ(σ −1 (h2 )) = h1 ◦ h2 .
We now move on to one of the main theorems of this section. The theorem will,
in particular, give us a tool for calculating orders of elements of cyclic groups which
are also written multiplicatively.
Proof Since G = <g> has cardinality n, by Lemma 3.2.1 we have ord (g) = n and
G = {g 0 , g 1 , g 2 , . . . , g n−1 }. We define σ : Zn → G by setting σ(i) = g i . Then
where ⊕ is addition modulo n. This checks (3.9) and proves that the mapping σ is
indeed an isomorphism. �
Now we can now reap benefits of Theorem 3.2.4.
Corollary 3.2.2 Let G be a multiplicative cyclic group and G = < g >, where g is
an element of order n. Then
n
ord (g i ) = . (3.11)
gcd(i, n)
Proof This now follows from the theorem we have just proved and Theorems 3.2.1
and 3.2.3. Indeed, the order of g i in G must be the same as the order of i in Zn . �
Exercises
1. Let σ : G → H be an isomorphism and g be an element of G. Prove that σ(g −1 ) =
σ(g)−1 .
2. Let Cn be the group of all complex numbers satisfying the equation zn = 1. Prove
that Cn ∼= Zn .
3. Prove that the multiplicative group of complex numbers C∗ is isomorphic to the
group of matrices
a −b
G= | a, b ∈ R
b a
gap> OrderMod(264,271);
270
3.2.4 Subgroups
Proof To decide whether or not < g > is a subgroup, we must answer three questions:
• Does the identity e of G belong to < g >? The answer is YES, because g 0 = e
and < g > consists of all powers of g.
• If x, y ∈< g >, does xy also belong to < g >?
x ∈< g > means that x = g i for some integer i; similarly, y = g j for some integer
j. Then xy = g i g j = g i+j , which shows that xy is a power of g and therefore
belongs to < g >.
• If x ∈< g >, does x −1 also belong to < g >?
x ∈< g > means that x = g i for some integer i; then x −1 = g −i , i.e., x −1 is also
a power of g and therefore belongs to < g >.
So < g > is indeed a subgroup. It is the smallest subgroup containing g ∈ G since
any subgroup that contains g must also contain all powers of g. �
ab = ba = c, bc = cb = a, ac = ca = b, a2 = b2 = c2 = e,
We see that V is indeed a subgroup of S4 . This group is known as the Klein four-group.
Additional information about orders may be extracted using Lagrange’s Theorem.
We will state and prove this theorem below, but first we need to introduce the cosets
of a subgroup. Let G be a group, H a subgroup of G, and g ∈ G. The set gH = {gh |
h ∈ H} is called a left coset of H and the set Hg = {hg | h ∈ H} is called a right
coset of H.
Example 3.2.12 Let us consider G = S4 and H = V , the Klein four-group which
is a subgroup of S4 . Let g = (12). Then the corresponding left coset consists of the
permutations
(12)V = {(12), (34), (1 4 2 3), (1 3 2 4)}.
only 22 mod 17, 24 mod 17, and 28 mod 17. Our calculations will terminate when
we find that 28 ≡ 1 mod 17; the order of 2 in Z∗17 is therefore 8.
Exercises
1. Let SLn (R) be the set of all real matrices with determinant 1. Prove that this is a
subgroup of GLn (R).
2. Let m, n be positive integers and let m be a divisor of n. Prove that Cm is a subgroup
of Cn .
3. Prove that a cyclic group G of order n has exactly φ(n) generators, i.e., elements
g ∈ G such that G =< g >.
4. Let G be a finite group with |G| even. Prove that it contains an element of order
2.
5. Prove that any finite subgroup of the multiplicative group C of the field C of
complex numbers is cyclic.
During the last 20 years, the theory of elliptic curves over finite fields has been
found to be of great value to cryptography. As methods of factorisation of integers
are getting better and computers are getting more powerful, to maintain the same
level of security the prime numbers p and q in RSA have to be chosen bigger and
bigger, which slows calculations down. The idea of using elliptic curves over finite
fields belongs to Neal Koblitz [1] and Victor Miller [2] who in 1985 independently
proposed cryptosystems based on groups of points of elliptic curves. By now their
security has been thoroughly tested and in 2009 the National Security Agency of
the USA stated that “Elliptic Curve Cryptography provides greater security and
more efficient performance than the first generation public key techniques (RSA and
Diffie–Hellman) now in use”. Some researchers also see elliptic curves as the source
of cryptosystems for the next generation. Certicom www.certicom.com was the first
company to market security products using elliptic curve cryptography.
104 3 Groups
Elliptic curves are not ellipses and do not look like them. They received their name due
to their similarities with denominators of elliptic integrals that arise in calculations
of the arc length of ellipses.
Definition 3.3.1 Let F be a field, and a, b be scalars in F such that the cubic X 3 +
aX + b has no multiple roots. An elliptic curve E over a field F is the set of solutions
(X, Y ) ∈ F 2 to the equation
Y 2 = X 3 + aX + b, (3.12)
When F is the field of real numbers the condition on the cubic can be expressed
in terms of a and b. Let r1 , r2 , r3 be the roots (maybe complex) of X 3 + aX + b, taken
together with their multiplicities, i.e., such that
This real number is called the discriminant of the cubic, and the cubic has no multiple
roots if and only if this discriminant is nonzero, i.e.,
This condition also guarantees the absence of multiple roots over an arbitrary field F.
Y 2 = X 3 + 3X + 4
When F = R is a field of reals, the graph of an elliptic curve can have two different
forms depending on whether the cubic on the right-hand side of (3.12) has one or
three real roots (see Fig. 3.1).
3.3 The Abelian Group of an Elliptic Curve 105
Jacobi4 (1835) was the first to suggest using the group law on a cubic curve. In
this section we will introduce the addition law for points of the elliptic curve (3.12),
so that it will become an abelian group. We will do this first for elliptic curves over
the familiar field of real numbers. These curves have the advantage that they can be
represented graphically.
4 Carl Gustav Jacob Jacobi (1804–1851) was a German mathematician who made fundamental
contributions to elliptic functions, dynamics, differential equations, and number theory.
106 3 Groups
Theorem 3.3.1 The elliptic curve E over R relative to this addition is an (infinite)
abelian group. If P = (x1 , y1 ) and Q = (x2 , y2 ) are two points of E, then P + Q =
(x3 , y3 ), where
1. in case (a)
y2 − y1 2
x3 = − x1 − x2 , (3.16)
x2 − x1
y2 − y1
y3 = −y1 + (x1 − x3 ). (3.17)
x2 − x1
2. in case (b)
2
3x12 + a
x3 = − 2x1 , (3.18)
2y1
3x12 + a
y3 = −y1 + (x1 − x3 ). (3.19)
2y1
Proof First, we have to prove that the addition is defined for every pair of (not
necessarily distinct) points of E. Suppose we are in case (a), which means x1 = x2 .
Then we have to show that the third point R on the line PQ exists. The equation of
this line is y = mx + c, where m = yx22 −y
−x1 and c = y1 − mx1 . A point (x, mx + c) of
1
Since we already have two real roots of this polynomial x1 and x2 we will have the
third one as well. Dividing the left-hand side of (3.20) by (x − x1 )(x − x2 ) will give
the factorisation
where x3 is this third root. Knowing x1 and x2 , the easiest way to find x3 is to notice
that x1 + x2 + x3 = m2 , and express the third root as x3 = m2 − x1 − x2 . Since
m = yx22 −y 1
−x1 , this is exactly (3.16). Now we can also calculate y3 as follows
(remember (x3 , y3 ) represents −R, hence the minus). This will give us (3.17).
Case (b) is similar, except that m can now be calculated as the derivative dy/dx at
P. Implicit differentiation of (3.12) gives us
dy
2y = 3x 2 + a,
dx
or dy/dx = (3x 2 + a)/2y. Hence m = (3x12 + a)/2y1 . (We note that y1 = 0 in this
case.) This implies (3.18) and (3.19). �
It helps to visualise the point at infinity ∞ as located far up the y-axis. Then it
becomes the third point of intersection of any vertical line with the curve. Then (c),
(d), and (e) of Definition 3.3.2 will implement the same set of rules as (a) and (b),
for the case when the point at infinity is involved.
We deduced formulae (3.16)–(3.19) for the real field R but they make sense for
any field. Of course we have to remove references to parallel lines and interpret the
addition rule in terms of coordinates only.
Definition 3.3.4 Let F be a field and let E be the set of pairs (x, y) ∈ F 2 satisfying
(3.12) plus a special symbol ∞. Then for any (x1 , y1 ), (x2 , y2 ) ∈ E we define:
(a) If x1 = x2 , then (x1 , y1 ) + (x2 , y2 ) = (x3 , y3 ), where x3 , y3 are defined by
formulae (3.16) and (3.17).
(b) If y1 = 0, then (x1 , y1 ) + (x1 , y1 ) = (x3 , y3 ), where x3 , y3 are defined by
formulae (3.18) and (3.19).
(c) (x, y) + (x, −y) = ∞ for all (x, y) ∈ E (including the case y = 0).
(d) (x, y) + ∞ = ∞ + (x, y) = (x, y) for all (x, y) ∈ E.
(e) ∞ + ∞ = ∞.
Theorem 3.3.2 For any field F and for any elliptic curve
Y 2 = X 3 + aX + b, a, b ∈ F,
the set E with the operation of addition defined in Definition 3.3.4 is an abelian group.
108 3 Groups
Proof It is easy to check that the identity element is ∞ and the inverse of P = (x, y)
is −P = (x, −y). So two axioms of a group are obviously satisfied. It is not easy
to prove that the addition, so defined, is associative. We omit this proof since it is a
tedious calculation. �
Example 3.3.2 Suppose F = Z11 and the curve is given by the equation Y 2 = X 3 +7.
Then P = (5, 0) and Q = (3, 10) belong to the curve. We have
x3 = m2 − x1 − x2 = 3 − 5 − 3 = 6,
y3 = −y1 + m(x1 − x3 ) = 0 + 6(−1) = 5,
3·32 +0
so P + Q = (6, 5). Calculating 2Q = (x4 , y4 ), we get m = 9 = 3 and
x4 = m2 − 2x1 = 9 − 2 · 3 = 3,
y4 = −y1 + m(x1 − x4 ) = −10 + 3 · 0 = 1,
so 2Q = (3, 1). The last equation 2P = ∞ follows straight from the definition (part
(c) of Definition 3.3.4).
The calculations in the last exercise can be done with GAP. The program has
to read the files elliptic.gd and elliptic.gi first (given in the appendix).
Then the command EllipticCurveGroup(a,b,p); calculates the points of
the elliptic curve Y 2 = aX +b mod p. As you see below, GAP uses the multiplicative
notation for operations of elliptic curves:
Read("/.../elliptic.gd");
Read("/.../elliptic.gi");
gap> G:=EllipticCurveGroup(0,7,11);
EllipticCurveGroup(0,7,11)
gap> points:=AsList(G);
[ ( 2, 2 ), ( 2, 9 ), ( 3, 1 ), ( 3, 10 ), ( 4, 4 ), ( 4, 7 ), ( 5, 0 ),
( 6, 5 ), ( 6, 6 ), ( 7, 3 ), ( 7, 8 ), infinity ]
gap> P:=points[7];
( 5, 0 )
gap> Q:=points[4];
( 3, 10 )
gap> P*Q;
( 6, 5 )
gap> Qˆ2;
( 3, 1 )
gap> Pˆ2;
infinity
3.3 The Abelian Group of an Elliptic Curve 109
Exercises
Y 2 = X 3 + 4X + 11, Y 2 = X 3 + 6X + 11?
r1 + r2 + r3 = 0, r1 r2 + r1 r3 + r2 r3 = a, r1 r2 r3 = −b. (3.21)
Theorem 3.3.3 If F = Zp for p > 2, then exactly half of all nonzero elements of
the field Z∗p are quadratic residues.
Proof Since p is odd, p − 1 is even. Then all nonzero elements of Zp can be split
into pairs,
Zp \ {0} = {±1, ±2, . . . , ±(p − 1)/2}.
Since i2 = (−i)2 , each pair gives us only one quadratic residue, hence we cannot
have more than (p − 1)/2 quadratic residues. On the other hand, if we have x 2 = y2 ,
then x 2 − y2 = (x − y)(x + y) = 0. Due to the absence of zero divisors, we then
have x = ±y. Therefore we have exactly (p − 1)/2 nonzero quadratic residues. �
gap> RootMod(12,103);
fail
gap> RootMod(13,103);
61
Let p be a large prime. Let us try to estimate the number of points on the elliptic
curve Y 2 = f (X) over Zp , where f (X) is a cubic. For a solution with the first
coordinate X to exist it is necessary and sufficient that f (X) is a quadratic residue. It
is plausible to suggest that f (X) will be a quadratic residue for approximately half of
all points X ∈ Zp . On the other hand, if f (X) is a nonzero quadratic residue, then the
equation Y 2 = f (X) will have two solutions with X as the first coordinate. Hence it
is reasonable to expect that the number of points on the curve will be approximately
p 5
2 · 2 + 1 = p + 1 (p plus the point at infinity). Hasse (1930) gave the exact bound,
which we give here without a proof:
5 Helmut Hasse (1898–1979) was a German mathematician working in algebraic number theory,
known for many fundamental contributions. The period when Hasse’s most important discoveries
were made was a very difficult time for German mathematics. When the Nazis came to power in
1933 a great number of mathematicians with Jewish ancestry were forced to resign and many of
them left the country. Hasse did not compromise his mathematics for political reasons, he struggled
3.3 The Abelian Group of an Elliptic Curve 111
Theorem 3.3.5 (Hasse’s Theorem) Suppose E is an elliptic curve over Zp and let
N be the number of points on E. Then
√ √
p + 1 − 2 p ≤ N ≤ p + 1 + 2 p. (3.22)
It was also shown that for any p and N satisfying (3.22) there exists a curve over Zp
having exactly N points.
As we have already seen, cryptography works with large objects with which it is
difficult to calculate. Large elliptic curves are of great interest to it. Hasse’s theorem
says that to have a large curve we need a large field. This can be achieved in two
ways. The first is to have a large prime p. The second is to keep p small but to try
to build a new large field F, as an extension of Zp . As we will see later, for every n
there is a field containing exactly q = pn elements. There is a more general version
of Theorem 3.3.5 which also often goes by the name of “Hasse’s Theorem”.
Theorem 3.3.6 Suppose E is an elliptic curve over a field F containing q elements
and let N be the number of points on E. Then
√ √
q + 1 − 2 q ≤ N ≤ q + 1 + 2 q. (3.23)
For cryptographic purposes, it is not uncommon to use elliptic curves over fields of
2150 or more elements. It is worth noting that for n ≥ 20 it is infeasible to list all
points on the elliptic curve over a field of 2n elements.
Despite the fact that each curve has quite a few points there does not exist a
deterministic algorithm which will produce, in less than exponential time, a point
on a given curve Y 2 = f (X). In particular, it is difficult to find X such that f (X) is a
quadratic residue. In practice, fast probabilistic methods are used.
Example 3.3.4 Let F = Z5 . Consider the curve Y 2 = X 3 + 2. Let us list all the
points on this curve and calculate the addition table for the corresponding abelian
group E. The quadratic residues of Z5 are 1 = 12 = 42 and 4 = 22 = 32 . We shall
list all possibilities for x and in each case see what y can be:
x = 0 =⇒ y2 = 2, no solution
x = 1 =⇒ y2 = 3, no solution
x = 2 =⇒ y2 = 0 =⇒ y = 0
x = 3 =⇒ y2 = 4 =⇒ y = 2, 3
x = 4 =⇒ y2 = 1 =⇒ y = 1, 4
Hence we can list all the points of E. We have E = {∞, (2, 0), (3, 2), (3, 3), (4, 1),
(4, 4)}. Let us calculate the addition table.
(Footnote 5 continued)
against Nazi functionaries who tried (sometimes successfully) to subvert mathematics to political
doctrine. On the other hand, he made no secret of his strong nationalistic views and his approval of
many of Hitler’s policies.
112 3 Groups
We see that 2 · (2, 0) = ∞, hence ord ((2, 0)) = 2. Also 3 · (3, 2) = 3 · (3, 3) = ∞,
while 2 · (3, 2) = ∞ and 2 · (3, 3) = ∞, hence ord ((3, 2)) = ord ((3, 3)) = 3.
Exercises
1. Fill the remaining empty slots of the table above and find the orders of (4, 1) and
(4, 4).
2. Find all quadratic residues of the field Z17 .
3. Use Hasse’s theorem to estimate the number of points on an elliptic curve over
Z2011 .
4. Prove that:
(a) the product of two quadratic residues and the inverse of a quadratic residue
are quadratic residues;
(b) the product of a quadratic residue and a quadratic non-residue is a quadratic
non-residue;
(c) the product of two quadratic non-residues is a quadratic residue.
p−1
5. Prove that if a is a quadratic non-residue, then a 2 = −1. (Use Wilson’s theorem,
which is Exercise 7 in Sect. 1.4.)
6. Use the trial and error method to find a quadratic non-residue in Zp , where
p = 359334085968622831041960188598043661065388726959079837.
For calculating multiples efficiently the same rules apply as to calculating powers.
Below we give a complete analogue of the Square and Multiply algorithm.
Theorem 3.3.7 Given P ∈ E, for any positive integer N it is possible to calculate
N · P using no more than 2log2 N additions.
where m0 = log2 N and m0 > m1 > · · · > ms . We can find all multiples 2mi · P,
i = 1, 2, . . . , s by successive doubling in m0 additions:
21 · P = P + P,
22 · P = 21 · P + 21 · P,
...
2m0 · P = 2m0 −1 · P + 2m0 −1 · P.
Now to calculate
we need no more than m0 extra additions. In total no more than 2m0 = 2log2 N.
Since n = log2 N is the length of the input, the complexity function f (n) is at most
linear in n or f (n) = (n). �
The algorithm presented here can be called the Double and Add algorithm. It
has linear complexity. Up to isomorphism, this is the same algorithm as Square and
Multiply.
We see that it is an easy task to calculate multiples of any point P on elliptic curve.
That is, it is easy to calculate N · P given an integer N and a point P on the curve.
However there is no easy way to calculate N given N · P and P. So the function
N → N · P is a one way function and it has been recognised by now that it has a great
significance for cryptography. This branch of cryptography is called Elliptic Curve
Cryptography (ECC). It was proposed in 1985 by Victor Miller and Neil Koblitz as a
mechanism for implementing public-key cryptography alternative to RSA. We will
show one of the cryptosystems of ECC in the next section.
Exercises
Let G be the abelian group of the elliptic curve Y 2 = X 3 + 1234X + 17 over Z346111 .
(GAP will take a few seconds to generate this group, be patient.)
Calculating this, we initially added a junk digit zero to every xi and tried to find a
matching yi . If we failed, we would change the last digit to 1, and, in the case of
another failure to 2, etc. We see that x3 gave us a quadratic residue straightaway, x1
and x2 needed the second attempt with the last digit 1 and x4 needed three attempts
with the last digits 0,1,2.
Exercises
1. Use the trial and error method to find a quadratic residue r and a quadratic non-
residue n in Zp , where
p = 359334085968622831041960188598043661065388726959079837.
The exponential Diffie–Hellman key exchange can easily be adapted for elliptic
curves. Suppose that E is a publicly known elliptic curve over Zp . Alice and Bob,
through an open channel, agree upon a point Q ∈ E. Alice chooses a secret positive
integer kA (her private multiplier) and sends kA · Q to Bob. Bob chooses a secret pos-
itive integer kB (his private multiplier) and sends kB · Q to Alice. Bob then calculates
P = kB · (kA · Q) = kA kB · Q, and Alice calculates P = kA · (kB · Q) = kA kB · Q.
They now both know the point P which they can use as the key for a conventional
secret key cryptosystem. An eavesdropper wanting to spy on Alice and Bob would
face the following task called the Diffie–Hellman problem for elliptic curves:
The Diffie–Hellman Problem: Given Q, kA · Q, kB · Q (but not kA or kB ), find
P = kA kB · Q. No polynomial time algorithms are known for this problem.
Elgamal6 (1985) modified the Diffie–Hellman idea to adapt it for message trans-
mission (see [3], p. 287). It starts as above with Alice and Bob publicly announcing
Q and exchanging kB · Q and kA · Q, which play the role of their public keys. Alter-
natively you may think that there is a public domain run by a trusted authority where
Q is stored and that any new entrant, say Cathy, chooses her private multiplier kC
and publishes her public key kC · Q there.
1. Alice and Bob are setting up the Elgamal elliptic curve cryptosystem for private
communication. They’ve chosen a point Q = (88134, 77186) on the elliptic curve
E given by Y 2 = X 3 +12345 over Z95701 . They’ve chosen their private multipliers
kA = 373 and kB = 5191 and published the points QA = (27015, 92968) and
QB = (55035, 17248), respectively. They agreed to cut the messages into two-
letter segments and encode the letters as A = 11, B = 12, . . . , Z = 36, space =
41, ’ = 42, . = 43, , = 44, ? = 45. They also agreed that, for each point (x, y),
only the first four digits of x are meaningful (so that they can add additional junk
digits to their messages, if needed, to obtain a point on the curve).
(a) Alice got the message:
References
1. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
2. Miller, V.: Uses of Elliptic Curves in Cryptography. Advances in Cryptology—Crypto ’85, pp.
417–426 (1986)
3. Koblitz, N.: Algebraic Aspects of Cryptography. Springer, Berlin (1998)
4. Shanks, D.: Five number theoretic algorithms. In: Proceedings of the Second Manitoba Confer-
ence on Numerical Mathematics, pp. 51–70 (1973)
Chapter 4
Fields
In Sect. 1.4 we defined a field and proved that, for any prime p, the set of integers
Z p = {0, 1, 2, . . . , p − 1} with the operations:
a ⊕ b = a + b mod p,
a b = ab mod p
is a field. This field has cardinality p. So far, these are the only finite fields we have
learned. In this chapter we prove that a finite field must have cardinality pn for some
prime p and positive integer n, i.e., its cardinality may only be a power of a prime.
Such fields exist and we lay the grounds for the construction of such fields in Chap. 5.
In this chapter we also prove a very important result that the multiplicative group
of any finite field is cyclic. This makes it possible to define “discrete logarithms”—
special functions on finite fields that are difficult to compute, and widely used in
cryptography. We show that the Elgamal cryptosystem can also be based on the
multiplicative group of a large finite field.
We recap that an algebraic system consisting of a set F equipped with two operations,
addition + and multiplication ·, is called a field if the following nine axioms are
satisfied:
Three basic properties of fields are stated in the following theorem. The second
one is called absence of divisors of zero and the third solvability of linear equations.
We saw these properties hold for Z p but now we would like to prove them for arbitrary
fields.
F3 F8
0 · a = (0 + 0) · a = 0 · a + 0 · a.
F2 F4 F3
0 = −(0 · a) + (0 · a + 0 · a) = (−(0 · a) + 0 · a) + 0 · a = 0 + 0 · a = 0 · a.
F6 F9 F7
0 = a −1 · 0 = a −1 (ab) = (a −1 a)b = 1 · b = b.
A very important technique is enlarging a given field to obtain a larger field with
some given property. After learning a few basic facts about polynomials we discuss
how to make such extensions.
Exercises
1. Prove that the set of all non-negative rational numbers Q+ is NOT a field.
2. Prove that the set of all integers Z is NOT√a field. √
3. Prove that the set of all real numbers Q( 2) of the form x + y 2, where x and
y are in Q is√
a field.
4. Consider Q( 3), which is defined √similarly to the field from the previous exercise.
Find the inverse element of 2 − 3 and solve the equation
√ √
(2 − 3)x = 1 + 3.
3x + y + 4z = 1
x + 2y + z = 2
4x + y + 4z = 4
with coefficients in Z 5 .
The reader familiar with Linear Algebra may well skip this section.
120 4 Fields
Example 4.1.2 Where F is a field, F n is the set of n-tuples whose entries are scalars
from F. It is a vector space over F relative to the following addition and scalar
multiplication:
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
a1 b1 a1 + b1 a1 ka1
⎢ a2 ⎥ ⎢ b2 ⎥ ⎢ a2 + b2 ⎥ ⎢ a2 ⎥ ⎢ ka2 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ + ⎢ .. ⎥ = ⎢ .. ⎥, k ⎢ . ⎥ = ⎢ . ⎥.
. .
⎣ . ⎦ ⎣ . ⎦ ⎣ . ⎦ ⎣ . ⎦ ⎣ . ⎦
an bn an + bn an kan
In particular, Rn , Cn and Znp are vector spaces over the fields R, C and Z p , respec-
tively.
Example 4.1.3 Let Fm×n be the set of m ×n matrices whose entries are scalars from a
field F. It is a vector space over F relative to matrix addition and scalar multiplication.
The sets of all m × n matrices Rm×n , Cm×n and (Z p )m×n with entries from R, C
and Z p are vector spaces over the fields R, C and Z p , respectively.
Example 4.1.4 Let F be a field, and Fn [x] be the set of all polynomials of degree
at most n whose coefficients are scalars from F. It is a vector space over F relative
to the addition of polynomials and scalar multiplication. The sets of all polynomials
4.1 Introduction to Fields 121
Rn [x], Cn [x] and (Z p )n [x] of degree at most n with coefficients from R, C and Z p
are vector spaces over the fields R, C and Z p , respectively.
Example 4.1.5 Let F be a field, F[x] be the set of all polynomials (without restric-
tion on their degrees), whose coefficients are scalars from F. It is a vector space
over F relative to addition of polynomials and scalar multiplication. The sets of all
polynomials R[x], C[x] and Z p [x] with coefficients from R, C and Z p are vector
spaces over the fields R, C and Z p , respectively.
Proof This is an exercise. Check that the vector space axioms for G all follow from
the field axioms. �
Example 4.1.6 The field of complex numbers C is a vector space over the reals R
which is a subfield of C. Both C and R are vector spaces over the rationals Q.
The axioms of a vector space have many useful consequences. The two most
important ones are as follows:
0 · v = 0, (−1) · v = −v.
Proof We will prove only the first one, the second is an exercise. We will use VS4
(d) for this. We have
0 · v = (0 + 0) · v = 0 · v + 0 · v.
Definition 4.1.3 Let V be a vector space over the field F and v1 , . . . , vk be arbitrary
vectors in V . Then the set of all possible linear combinations a1 v1 + a1 v2 + · · · +
ak vk with coefficients a1 , . . . , ak in F is called the span of v1 , . . . , vk and denoted
span{v1 , . . . , vk }.
Definition 4.1.4 Let V be a vector space over the field F. The space V is said to
be finite-dimensional if there exists a finite number of vectors v1 , v2 , . . . , vk which
span V , that is V = span{v1 , v2 , . . . , vk }.
Proof We will concentrate only on the second part of this example (for the first see
the exercise below). Suppose F[x] is finite-dimensional and there exist polynomials
f 1 , f 2 , . . . , f n such that
F[x] = span{ f 1 , f 2 , . . . , f n }.
Let us choose a positive integer N such that N > deg ( f i ) for all i = 1, . . . , n.
As { f 1 , f 2 , . . . , f n } spans F[x] we can find scalars a1 , a2 , . . . , an such that x N =
a1 f 1 + a2 f 2 + · · · + an f n . Then
Definition 4.1.5 Let V be a vector space over the field F. A subset {v1 , v2 , . . . , vk }
of V is said to be linearly dependent if there exist scalars a1 , a2 , . . . , ak in F, not all
of which are 0, such that
a1 v1 + a2 v2 + · · · + ak vk = 0.
Example 4.1.8 Let Fm×n be the space of all m × n matrix with entries from F. Let
E i j be the matrix whose (i j)-entry is 1 and all other entries are 0. Such a matrix is
called a matrix unit. The set of all n 2 matrix units is linearly independent.
and at least one coefficient is nonzero. Without loss of generality we may assume
that ak = 0. Then
vk = −(ak−1 a1 )v1 − · · · − (ak−1 ak−1 )vk−1
4.1 Introduction to Fields 123
v = a1 v1 + a2 v2 + · · · + an vn . (4.1)
Proof The fact that there is at least one such n-tuple follows from the fact that
{v1 , v2 , . . . , vn } spans V . Suppose there were two different ones:
v = a1 v1 + a2 v2 + · · · + an vn = b1 v1 + b2 v2 + · · · + bn vn .
Then
(a1 − b1 )v1 + · · · + (an − bn )vn = 0,
In the case when F is finite, it is now clear that all bases are equinumerous, i.e.,
contain the same number of vectors. This is also true in general.
Exercises
1. Check that F n satisfies all axioms of a vector space, observing how these axioms
follow from the axioms of a field.
2. Justify the statement in Example 4.1.8.
3. Justify the statement in Example 4.1.9.
124 4 Fields
df
u ⊕ v = uv,
i.e., the new addition is the former multiplication. Also for any real number a ∈ R
and any u ∈ V we define the scalar multiplication
df
a u = ua .
Theorem 4.1.4 Any finite field F contains one of the fields Z p for a certain prime
p. In this case F is a vector space over Z p and it contains p n elements, where
n = dimZ p F.
The following is clear from the ring axioms: for any positive integers a, b
a · 1 + b · 1 = (a + b) · 1, (4.2)
(a · 1) · (b · 1) = (ab) · 1. (4.3)
a · 1 + b · 1 = (a ⊕ b) · 1,
(a · 1) · (b · 1) = (a b) · 1,
where ⊕ and are addition and multiplication modulo p. We can now recognise
that the set {0, 1, 2 · 1, . . . , ( p − 1) · 1} together with the operations of addition and
multiplication in F is in fact Z p . By Theorem 4.1.2 F is a vector space over Z p .
4.1 Introduction to Fields 125
The theorem we have proved states that the cardinality of any finite field is a power
of a prime. The converse is also true.
Definition 4.1.8 If p · 1 = 0 in a field F for some prime p, then this prime p is said
to be the characteristic of F. If such a prime does not exist, the field F is said to have
characteristic 0.
Theorem 4.1.5 For any prime p and any positive integer n there exists a field of
cardinality p n . This field is unique up to isomorphism.
Proof We will show how to construct the fields of cardinality pn in the next chapter.
The uniqueness, however, is beyond the scope of this book. �
The unique field of cardinality p n is denoted GF( p n ) and is called the Galois
field of p n elements.1
Exercises
1. Let n 1 = 449873499879757801 and n 2 = 449873475733618561. Find out if
there are fields GF(n 1 ) and GF(n 2 ). In case GF(n i ) exists for i = 1 or i = 2,
identify the prime number p such that Z p ⊆ GF(n i ) and determine the dimension
of GF(n i ) over Z p .
2. Let F be a finite field of q elements. Prove that all its elements are roots of the
equation x q − x = 0. (Hint. Consider the multiplicative group (F ∗ , ·) of this field
and use Corollary 3.2.3.
In any field F the set F ∗ of all nonzero elements play a very important role. Axiom
F9 states that all elements of F ∗ are invertible. Moreover, this axiom, together with
axioms F5–F7 imply that F ∗ relative to the operation of multiplication is a commu-
tative group. This group is called the multiplicative group of F. Our goal for the rest
of this chapter is to prove that in any finite field F the multiplicative group of F is
cyclic.
We will concentrate our attention on orders of elements in F ∗ . Eventually, we will
find that there is always an element in F ∗ whose order is exactly the cardinality of
this group, thus proving that F ∗ is cyclic.
We now look at the field Z7 to get an intuition of what is to come. In this case
Z∗7 = {1, 2, 3, 4, 5, 6}. Let us calculate the powers of each element:
1 See Sect. 3.1.3 for a brief historical note about Évariste Galois.
126 4 Fields
Powers of 1: 1, 12 = 1.
Powers of 2: 2, 22 = 4, 23 = 1; so there are 3 elements in Z7 which are powers
of 2.
Powers of 3: 3, 32 = 2, 33 = 6, 34 = 4, 35 = 5, 36 = 1; so all nonzero elements
are powers of 3.
Powers of 4: 4, 42 = 2, 43 = 1, so there are three distinct powers of 4.
Powers of 5: 5, 52 = 4, 53 = 6, 54 = 2, 55 = 3, 56 = 1, so all nonzero elements
are powers of 5.
Powers of 6: 6, 62 = 1, so there are two powers.
We summarise our experience: the element 1 has order 1, the elements 2 and 4
have order 3, the elements 3 and 5 have order 6, and the element 6 has order 2. Hence
Z∗7 =< 3 >=< 5 >, it is cyclic and has two generators 3 and 5.
Lemma 4.2.2 Every element of a finite group has a finite order. Moreover, in a finite
group the order of any element is a divisor of the total number of elements in the
group.
Proof Let G be a finite group containing g. Then by Proposition 3.2.1 ord (g) =
|<g>|, which is a divisor of |G| by Lagrange’s theorem. �
Proof Let ord (g) = m. Suppose n = qm + r , where 0 ≤ r < m, and suppose that
r = 0. Then 1 = g n = g qm+r = (g m )q · gr = gr which contradicts the minimality
of m. �
Equation 3.11 will play a crucial role in the proof of our next lemma. To recap,
Eq. 3.11 says that for any element g ∈ G and positive integer i
ord (g)
ord (g i ) = . (4.4)
gcd(i, ord (g))
Lemma 4.2.4 If g is an element of a group G and ord (g) = ki, where k and i are
positive integers, then ord (g i ) = k.
4.2 The Multiplicative Group of a Finite Field Is Cyclic 127
ord (g) ki
ord (g i ) = = = k. �
gcd(i, ord (g)) i
Lemma 4.2.5 Let G be a commutative group, and a and b be two elements of G that
have orders m and n, respectively. Suppose that gcd(m, n) = 1. Then ord (ab) = mn.
Proof Since (ab)mn = a mn bmn = 1, we know by Lemma 4.2.3 that ord (ab)|mn.
Suppose that for some k the equality (ab)k = 1 holds. Then (ab)k = a k bk = 1
and a k = (bk )−1 . Let c = a k = (bk )−1 . Then cm = (a k )m = (a m )k = 1 and
cn = ((bk )−1 )n = ((bn )k )−1 = 1. As 1 = gcd(m, n) = um + vn for some integers
u and v, we may write c = cum+vn = cum · cvn = (cm )u · (cn )v = 1. Thus
a k = bk = 1 and by Lemma 4.2.3 we have m|k and n|k. This implies mn|k, because
m and n are relatively prime. If k = ord (ab), we get mn|ord (ab) and together with
ord (ab)|mn we get ord (ab) = mn. �
Let us show how to use these elements to construct an element g ∈ G such that
ord (g) = m and a m = bm = cm = 1.
We claim that m can be taken as lcm(ord (a), ord (b), ord (c)) = 53 · 72 · 172 and
g = a 17 b5 c7 . Indeed, by Lemma 4.2.4 we have
Exercises
Theorem 4.2.1 Let G be a finite commutative group. Then there exists an element
g ∈ G such that ord (g) = m ≤ |G| and x m = 1 for all x ∈ G.
Proof Let us consider the set of integers I = {ord (g) | g ∈ G} and let p1 , p2 , . . . , pn
be the set of all primes that occur in the prime factorizations of integers from I . For
each such prime pi let us choose the element gi such that ord (gi ) = piαi qi , where
gcd( pi , qi ) = 1 and the integer αi is maximal among all elements of G. (Note that
the same element might correspond to several primes, i.e., among g1 , g2 , . . . , gn not
q
all elements may be distinct.) Then by Lemma 4.2.4 for the element h i = gi i we
αi
have ord (h i ) = pi . Set g = h 1 h 2 . . . h n . Then, by Corollary 4.2.1,
and it is also clear that m divides the order of every element in G, thus x m = 1 for
all x ∈ G. Moreover, m ≤ |G| by Lemma 4.2.2. �
Theorem 4.2.2 Let F be a finite field consisting of q elements. Then there exists an
element g ∈ F ∗ such that ord (g) = |F ∗ | = q − 1, i.e., F ∗ = <g>.
Corollary 4.2.3 Let F be a finite field consisting of q elements. Then ord (a) divides
q − 1 for every element a ∈ F ∗ .
Proof Let g be a primitive element of F. Then ord (g) = q − 1 and a = g i for some
1 ≤ i < q − 1. Then by Lemma 4.2.4 ord (a) = ord (g i ) = q − 1/gcd(i, q − 1),
which is a divisor of q − 1. �
Theorem 4.2.3 For each prime p and positive integer n there is a unique, up to
isomorphism, finite field GF( pn ) that consists of p n elements. Its elements are the
n
roots of the polynomial f (x) = x p − x.
Proof We cannot prove the first part of the statement, i.e., the existence of F =
GF( p n ) but we can prove the second. Suppose F exists and g is a primitive element.
Then every nonzero element a of F lies in F ∗ , which is a cyclic group of order p n − 1
4.2 The Multiplicative Group of a Finite Field Is Cyclic 129
n
with generator g. By Corollary 4.2.3 ord (a) is a divisor of p n − 1, hence a p −1 = 1.
n
It follows that a p = a for all a ∈ F, including 0, which proves the second part of
the theorem. �
The idea behind the proof of the existence of GF( p n ) is as follows. Firstly we
construct an extension Z p ⊂ K such that every polynomial with coefficients in Z p
n
has a root in K . Then the polynomial f (x) = x p − x will have p n roots in K and
we have to check that f (x) does not have multiple roots. These pn distinct roots will
then be a field GF( p n ).
From our considerations it follows that, if m|n, then GF( pm ) is a subfield of
m
GF( p n ). Indeed, any root of the equation x p = x will also be a root of the equation
n
x p = x (see Exercise 3 that follows).
Exercises
Thus 3 is a primitive element of Z7 and log3 (3) = 1, log3 (2) = 2, log3 (6) = 3,
log3 (4) = 4, log3 (5) = 5, log3 (1) = 6.
Example 4.2.3 For example, g = 3 is a primitive element of Z19 as seen from the
table featuring powers of 3:
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
3n 3 9 8 5 15 7 2 6 18 16 10 11 14 4 12 17 13 1
130 4 Fields
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
log3 (n) 18 7 1 14 4 8 6 3 2 11 12 15 17 13 5 10 16 9
Exercises
1. How many primitive elements are there in the field Z1237 ?
2. Let F = Z17 .
(a) Decide whether 2 or 3 is a primitive element of F. Denote the one which is
primitive by g.
(b) Compute the table of powers of g in F and the table of discrete logs to base g.
3. Let g be a primitive element in a finite field F consisting of q elements. Prove
that
logg (ab) ≡ logg (a) + logg (b) mod q−1.
Elgamal algorithm is used in the free GNU Privacy Guard software, recent versions
of PGP, and other cryptosystems.
In a public domain, a large prime p and a primitive element α of Z p are displayed.
Each participant of the group, who wants to send or receive encrypted messages,
creates their private and public keys. Alice, for example, selects a secret integer k A
and calculates α k A which she places in the public domain as her public key. Bob
selects a secret integer k B and calculates α k B which he places in a public domain as
his public key. Now they can exchange messages.
Suppose, for example, that Bob wants to send a message m to Alice. We’ll assume
that m is an integer such that 0 ≤ m < p. (If m is larger, he breaks it into several
blocks as usual.) He chooses a secret random integer s and computes c1 = α s in
Z p . He also takes Alice’s public key α k A from the public domain and calculates
c2 = m · (α k A )s . He sends this pair (c1 , c2 ) of elements of Z p to Alice so this is
the cyphertext. On the receiving end Alice uses her private key k A to calculate m
as follows: m = c2 · ((c1 )k A )−1 . For the evil eavesdropper Eve to figure out k A she
must solve a Discrete Logarithm Problem, which is difficult.
Exercises
1. Alice and Bob agreed to use the Elgamal cryptosystem based on the multiplicative
group of the field Z p for p = 53. They also agreed to use 2 as the primitive element
of Z p . Since p is small their messages consist of a single letter which is encoded as
Bob’s public key is 32 and Alice sent him the message (30, 42). Which letter did
Alice send to Bob in this message?
2. Alice and Bob have set up the multiplicative Elgamal cryptosystem for private
communication. They’ve chosen an element g = 123456789 in the multiplicative
group of the field Z p , where p = 123456789987654353003. They’ve chosen
their private exponents k A = 373 and k B = 5191 and published the elements
g A = 52808579942366933355 and g B = 39318628345168608817, respectively.
They agreed to cut the messages into ten-letter segments and encode the letters
as A = 11, B = 12, . . ., Z = 36, space = 41, ’ = 42, . = 43, , = 44, ? = 45.
Bob got the following message from Alice:
[ [ 83025882561049910713, 66740266984208729661 ],
[ 117087132399404660932, 44242256035307267278 ],
[ 67508282043396028407, 77559274822593376192 ],
[ 60938739831689454113, 14528504156719159785 ],
[ 5059840044561914427, 59498668430421643612 ],
[ 92232942954165956522, 105988641027327945219 ],
[ 97102226574752360229, 46166643538418294423 ] ]
A polynomial walks into a bar and asks for a drink. The barman
declines: “We don’t cater for functions.”
An old math joke.
This chapter is about polynomials and their use. After learning the basics we discuss
Lagrange’s interpolation needed for Shamir’s secret sharing scheme that we discuss
in Chap. 6. Then, after proving some further results on polynomials, we give a con-
struction of a finite field whose cardinality pn which is a power of a prime p. This field
is constructed as polynomials modulo an irreducible polynomial of degree n. The
field constructed will be an extension of Zp and in this context we discuss minimal
annihilating polynomials which we will need in Chap. 7 for the construction of good
error-correcting coding.
k
f (x) = ai x i , ai ∈ F, (5.1)
i=0
where k is an arbitrary positive integer, is called a polynomial over F. The set of all
polynomials over F is denoted by F[x]. For k = 0 there is no distinction between the
scalar a0 and the polynomial f (x) = a0 . Thus we assume that F ⊂ F[x]. The zero
polynomial 0 is a very special one. Any other polynomial f (x) = 0 we can write in
the form (5.1) with ak = 0 and define its degree as follows.
Definition 5.1.1 Given a nonzero polynomial f (x) = ki=0 ai x i , with ak = 0, the
number k is said to be the degree of f (x) and will be denoted deg (f ). Note that deg (f )
is undefined if f = 0. Colloquially speaking, the degree of f (x) is the highest power
of x which appears.
The addition and multiplication in the field induces the corresponding operations
over polynomials. Let
k
m
f (x) = ai x i , g(x) = bi x i
i=0 i=0
be two polynomials and assume that deg (f ) = k ≥ m = deg (g). Then we define
k
f (x) + g(x) := (ai + bi )x i ,
i=0
where for i > deg (g) we assume that bi = 0. Multiplication is defined in such a way
that x i · x j = x i+j is true. The only way to do this is to set
⎛ ⎞
k+m
i
f (x)g(x) := ⎝ aj bi−j ⎠ x i .
i=0 j=0
The same convention also works here: ap = 0, when p > deg (f ), and bq = 0, when
q > deg (g).
By defining these two operations we obtain an algebraic object which is called
the polynomial ring over F; it is also denoted by F[x].
We observe that
Proposition 5.1.1 For any two nonzero polynomials f , g ∈ F[x]
1. deg (f + g) ≤ max(deg (f ), deg (g));
2. deg (f g) = deg (f ) + deg (g) and, in particular, F[x] has no zero divisors.
Division with remainder is also possible.
Theorem 5.1.1 (Division Algorithm) Given polynomials f (x) and g(x) in F[x] with
g(x) = 0, there exist a “quotient” q(x) ∈ F[x] and a “remainder” r(x) ∈ F[x] such
that
f (x) = g(x)q(x) + r(x)
and either r(x) = 0 or deg (r) < deg (g). Moreover, the quotient and the remainder
are uniquely defined.
Proof Let k m
f (x) = ai x i , g(x) = bi x i
i=0 i=0
be two polynomials with deg (f ) = k and deg (g) = m. Then there are two cases to
consider:
Case 1. If k < m, then we can set q(x) = 0 and r(x) = f (x).
Case 2. If k ≥ m, we can define
−1
f1 (x) = f (x) − bm ak x k−m g(x) = f (x) − g(x)q1 (x),
where q1 (x) = bm −1 a x k−m . This polynomial f (x) will be of smaller degree than f ,
k 1
since f (x) and q1 (x)g(x) have the same degree m and the same leading coefficient
am . By induction hypothesis,
Then
g(x)(q1 (x) − q2 (x)) = r2 (x) − r1 (x).
136 5 Polynomials
This cannot happen for r1 (x) = r2 (x) since the degree of the right-hand side is
smaller than the degree of the left-hand side. Thus r2 (x) − r1 (x) = 0. This can
happen only when q1 (x) − q2 (x) = 0, since F[x] has no zero divisors. �
The quotient and the remainder can be computed by the following “polynomial
long division” process, commonly taught in high school. For example, let us consider
polynomials f (x) = x 4 + x 3 + x 2 + x + 1 and g(x) = x 2 + 1 from Z2 [x]. Then
x2 + x
x2 +1 x4 + x3 + x2 + x + 1
x4 + x2
x 3 + x +1
x3 +x
+1
encodes a division with remainder of the polynomial f (x) by g(x). It shows that the
quotient q(x) and the remainder r(x) are
q(x) = x 2 + x, r(x) = 1,
that is
x 4 + x 3 + x 2 + x + 1 = (x 2 + x)(x 2 + 1) + 1.
We say that a polynomial f (x) is divisible by g(x) if f (x) = q(x)g(x), i.e., when the
remainder is zero.
A polynomial (5.1) defines a function f : F → F with
k
f (α) = ai α i .
i=0
In Analysis this function is always identified with the polynomial itself. However,
working over a finite field we cannot do this. Indeed, 12 + 1 = 0 and 02 + 0 = 0. So
the polynomial f (x) = x 2 + x over Z2 is non-zero but the function associated with
it is the zero function.
Definition 5.1.3 An element α ∈ F is called a root1 of f (x) if f (α) = 0.
Proposition 5.1.2 An element α ∈ F is a root of a polynomial f (x) if and only if
f (x) = g(x)(x − α), i.e., f (x) is divisible by x − α.
1A purist would talk about a zero of the polynomial f (x) but a root of the equation f (x) = 0. We
are not making this distinction.
5.1 The Ring of Polynomials 137
f (x) = q(x)(x − α) + r,
where r ∈ F is the remainder and q(x) is the quotient. Substituting α in this equation
we get 0 = 0 + r, whence r = 0 and f (x) is divisible by (x − α) and q(x) can be
taken as g(x). Conversely, if f (x) = g(x)(x − α), then f (α) = g(α) · 0 = 0. �
k
f (x) = ai x i , ai ∈ F, (5.2)
i=0
Proof Suppose that α1 , . . . , αk+1 ∈F are distinct roots of f (x). By Proposition 5.1.2
Since in any field there are no divisors of zero we conclude that g1 (α2 ) = 0 and by
Proposition 5.1.2
g1 (x) = (x − α2 )g2 (x), deg (g2 ) = k − 2.
Exercises
f (x) = 5x 4 + x 2 + 3x + 4, g(x) = 3x 2 + 2x + 1.
and h(x) has at least k+1 distinct roots α0 , α1 , . . . , αk . However, by Proposition 5.1.3
this is impossible. �
k
(x − α0 ) . . . (x − αi−1 )(x − αi+1 ) . . . (x − αk )
f (x) = βi (5.6)
(αi − α0 ) . . . (αi − αi−1 )(αi − αi+1 ) . . . (αi − αk )
i=0
Proof The polynomial (5.6) was constructed as follows. We first constructed poly-
nomials gi (x) of degree k such that gi (αi ) = 1 and gi (αj ) = 0 for i = j. These
polynomials are:
Then the desired polynomial was constructed as f (x) = ki=0 βi gi (x). We immedi-
ately see that f (αi ) = βi , as required. This polynomial is unique because of Propo-
sition 5.1.4. �
x2 + 1 x2 + x + 3 x 2 + 2x + 2
f (x) = 2 +4 +4 =
4·3 1·4 2·1
x 2 + 1 + (x 2 + x + 3) + 2(x 2 + 2x + 2) = 4x 2 + 3.
(You can easily check that indeed f (1) = 2, f (2) = 4, f (3) = 4. Do it!)
Note: a simple alternative to using the formula is to calculate the coefficients of
the desired polynomial as the unique solution of a system of linear equations: if
f (x) = ax 2 + bx + c and f (1) = 2, f (2) = 4, f (3) = 4, we have the system
⎧
⎨ a + b + c = 2,
4a + 2b + c = 4,
⎩
4a + 3b + c = 4.
k
f (x) = ai x i , ai ∈ F,
i=0
Exercises
1. Use Lagrange interpolation to find f (x) = 2i=0 ai x i ∈ Z7 [x] with f (1) = f (2) =
1 and f (3) = 2.
2. Find the constant term of the polynomial f (x) of degree no greater than 2 with
coefficients in Z7 such that f (1) = 3, f (3) = 2, f (4) = 1.
3. Find the constant term of the polynomial f (x) of degree at most 3 in Z7 such that
4. Use GAP to find a polynomial f (x) ∈ Z13 [x] of degree at most 3 such that
k
f (x) = ai x i , ai ∈ F, (5.7)
i=0
Definition 5.1.5 A polynomial f (x) from F[x] is said to be reducible over F if there
exist two polynomials f1 (x) and f2 (x) from F[x], each of degree greater than or
equal 1, such that f (x) = f1 (x)f2 (x). Otherwise f (x) is said to be irreducible over F.
f1 (x) = x 3 ,
f2 (x) = x 3 + 1,
f3 (x) = x 3 + x + 1,
f4 (x) = x 3 + x,
f5 (x) = x 3 + x 2 ,
f6 (x) = x 3 + x 2 + 1,
f7 (x) = x 3 + x 2 + x,
f8 (x) = x 3 + x 2 + x + 1.
Proof If f (x) is irreducible clearly it has no linear factors, nor by Proposition 5.1.2
does it have any roots in F. Conversely, suppose that f (x) has no roots in F. If it
is reducible, then f (x) = g(x)h(x), where either g(x) or h(x) has degree 1, and
polynomial of degree 1 always has a root in F. This gives us a contradiction to
Proposition 5.1.2. �
Returning to our list, we know that any reducible polynomial f (x) of degree 3 has
a root in Z2 , i.e., either f (0) = 0 or f (1) = 0. Six out of the eight polynomials in the
table have roots in Z2 and only f3 (x) = x 3 + x + 1 and f6 (x) = x 3 + x 2 + 1 do not
have roots, hence they are the only two irreducible polynomials.
Proof If f (x) is reducible over F, then f (x) = g(x)h(x), where g(x), h(x) ∈ F[x]
both have degrees at least one. Then at least one of them will have degree not greater
than n2 . Any of its irreducible factors will have degree not greater than n2 . Hence,
if there are no irreducible polynomials over F of degree not greater than n2 that
divide f (x), it must be irreducible over F. �
Irreducible polynomials play a similar role to that played by prime numbers. The
following theorem can be proved using the same ideas as for integers.
Theorem 5.1.4 Any polynomial f (x) from F[x] of degree no less than 1 can be
uniquely represented as a product
where p1 (x), p2 (x), . . . , pk (x) ∈ F[x] are monic irreducible (over F) polynomials, c
is a non-zero constant, and α1 , α2 , . . . , αk are positive integers. This representation
is unique apart from the order of p1 (x), p2 (x), . . . , pk (x).
Exercises
Definition 5.1.6 Let F be a field and f (x), g(x) be two polynomials from F[x]. A
monic polynomial d(x) ∈ F[x] is called the greatest common divisor of f (x) and
g(x) iff:
(a) d(x) divides both f (x) and g(x), and
(b) d(x) is of maximal degree with the above property.
The greatest common divisor of f (x) and g(x) is denoted gcd(f (x), g(x)) or
gcd(f , g)(x). Its uniqueness follows from the following
Theorem 5.1.5 (The Euclidean Algorithm) Let f and g be two polynomials. We use
the division algorithm several times to find:
5.1 The Ring of Polynomials 143
Then all common divisors of f and g are also divisors of rs . Moreover, rs divides
both f and g. Thus rs = gcd(f , g).
Theorem 5.1.6 (The Extended Euclidean Algorithm) Let f and g be two polynomi-
als. Let us form the following matrix with two rows R1 , R2 , and three columns C1 ,
C2 , C3 :
f 10
(C1 C2 C3 ) = .
g01
x 4 + x 3 + x 2 + 1 = (x 4 + x 2 + x + 1) · 1 + (x 3 + x)
x 4 + x 2 + x + 1 = (x 3 + x) · x + (x + 1)
x 3 + x = (x + 1) · (x 2 + x).
So gcd(f , g)(x) = x + 1.
144 5 Polynomials
x4 + x3 + x2 + 1 1 0
x4 + x2 + x + 1 0 1
x3 + x 1 1
x+1 x x+1
Definition 5.1.7 Two polynomials f (x), g(x) ∈ F[x] are said to be coprime (rela-
tively prime) if gcd(f , g)(x) = 1.
Corollary 5.1.2 Two polynomials f (x), g(x) ∈ F[x] are coprime if and only if there
exist polynomials m(x), n(x) ∈ F[x] such that
1 = f (x)m(x) + g(x)n(x).
Definition 5.1.8 Let F be a field and f (x), g(x) be two polynomials from F[x]. A
monic polynomial m(x) ∈ F[x] is called the least common multiple of f (x) and g(x)
if:
(a) m(x) is a multiple of both f (x) and g(x);
(b) m(x) is of minimal degree with the above property.
It is denoted lcm(f (x), g(x)) or lcm(f , g)(x).
All the usual properties of the least common multiple are satisfied. For example,
as for the integers, we can prove:
Theorem 5.1.7 Let f (x) and g(x) be two monic polynomials in F[x]. Then
Exercises
1. Find the greatest common divisor d(x) of the polynomials f (x) = x 7 + 1 and
g(x) = x 3 + x 2 + x + 1 in Z2 [x] and represent it in the form d(x) = f (x)m(x) +
g(x)n(x).
5.2 Finite Fields 145
of all polynomials of degree lower than n. This is exactly the set of all possible
remainders on division by m(x). Clearly F[x]/(m(x)) is an n dimensional vector
space over F spanned by the monomials 1, x, . . . , x n−1 .
Let f (x) be a polynomial from F[x] and r(x) be its remainder on division by m(x).
We define
r(x) = f (x) mod m(x).
We will also write f (x) ≡ g(x) mod m(x) if f (x) mod m(x) = g(x) mod m(x).
Note that f (x) mod m(x) belongs to F[x]/(m(x)) for all f (x) ∈ F[x].
Let us now convert F[x]/(m(x)) into a ring2 by introducing the following addition
and multiplication:
Note that the ‘new’ addition is not really new as it coincides with the old one.
But we do indeed get a new multiplication. All properties of a commutative ring for
F[x]/(m(x)) can be easily verified.
Example 5.2.1 Let us consider the ring R[x]/(x 2 + 1). Since deg (x 2 + 1) = 2, this
is a 2-dimensional space over the reals with basis {1, x}. The addition is
One must be able to recognise the complex numbers (with x playing the role of i).
In mathematical language the ring R[x]/(x 2 + 1) is said to be isomorphic to C.
As in the case of the integers, and by using the same approach, we can prove
2 Those familiar with the basics of abstract algebra will recognise the quotient-ring of F[x] by the
principal ideal generated by m(x).
146 5 Polynomials
This means that r(x)
f (x) = 1 in F[x]/(m(x)), thus f (x) is invertible and r(x) is
its inverse.
On the other hand, if m(x) is not irreducible, we can write m(x) = n(x)k(x),
which will lead to n(x)
k(x) = 0 in F[x]/(m(x)). Then, having divisors of zero,
by Lemma 1.4.2 F[x]/(m(x)) cannot be a field. �
From now on, we will not use the special symbols ⊕ and
to denote the operations
in F[x]/(m(x)); this will invite no confusion.
Example 5.2.2 Prove that K = Z2 [x]/(x 4 + x + 1) is a field, and determine how
many elements it has. Then find (x 3 + x 2 )−1 .
Solution To prove that K is a field we must prove that m(x) = x 4 + x + 1 is
irreducible. If it were reducible, then it would have a factor of degree 1 or 2. Since
m(0) = m(1) = 1, it does not have linear factors. So, if it is reducible, the only
possibility left is that it is the square of the only irreducible polynomial of degree 2,
that is (x 2 + x + 1)2 = x 4 + x 2 + 1. This does not coincide with m(x), hence m(x)
is irreducible. Hence K is a field. Since dimZ2 K = deg (m(x)) = 4, K has 24 = 16
elements.
By using the Extended Euclidean algorithm we get
x4 + x + 1 1 0
3
x +x 2 0 1
x2 + x + 1 1 x+1
x x x2 + x + 1
1 x + x + 1 x3 + x
2
Thus (x 3 + x 2 )−1 = x 3 + x. �
Example 5.2.3 Let us continue to investigate K = Z2 [x]/(x 4 + x + 1) for a while.
We know that, as a finite field, K must have a primitive element, in fact φ(15) = 8
of them. The polynomial x 4 + x + 1 is very convenient since x is one of the primitive
elements of K. Let us compute powers of x and place all elements of K in the table
below.
5.2 Finite Fields 147
Note that x 15 = 1, so logs are manipulated mod 15. We now have two different
representations of elements of K: as tuples (or polynomials) and as powers. The
first representation is best for calculating additions and the second for calculating
multiplications and inverses.
Theorem 5.2.1 allows us to construct a field of cardinality pn for any prime p and
any positive integer n. All we need to do is to take Zp and an irreducible polynomial
m(x) of degree n. Then Zp [x]/(m(x)) is the desired field. In this book we will not
prove that for any p and any positive integer n such a polynomial indeed exists
(although it does!). Moreover, for any prime p and positive integer n the field of
pn elements is unique up to an isomorphism. This is why it is denoted GF(pn ) and
called the Galois3 field of cardinality pn . Again, proving its uniqueness is beyond
the scope of this book.
Theorem 5.2.2 For any prime p and any positive integer n there exists a unique,
up to isomorphism, field GF(pn ) consisting of pn elements.
In the Advanced Encryption Standard (AES) algorithm, adopted in 2001, the
field GF(28 ) is used for calculations. This field is constructed with the use of the
irreducible polynomial m(x) = x 8 + x 4 + x 3 + x + 1.
3 See Sect. 3.1.3 for a brief historical note about this mathematician.
148 5 Polynomials
Exercises
(e) How many primitive elements are there in the field F? List them all.
3. (advanced) Let f (x) = a0 + a1 x + · · · + an x n be a polynomial from F[x], where
F is any field. We define the derivative of f (x) by the formula:
f
(x) = a1 + 2a2 x + · · · + nan x n−1 .
(a) Check that the product rule holds for such a derivative.
(b) Prove that any multiple root of f (x) is also a root of gcd(f (x), f
(x)).
n
(c) Let p be a prime. Prove that the polynomial f (x) = x p − x does not have
multiple roots in any field F of characteristic p.
Let F and K be two fields such that F ⊆ K. We say that F is a subfield of K and that
K is an extension of F if the addition and multiplication in K, being restricted to F,
coincide with the operations in F of the same name.
Example 5.2.5 In the extension R ⊆ C, check that the polynomial f (t) = t 2 −2t +2
is the minimal annihilating polynomial for a = 1 + i over R.
5.2 Finite Fields 149
αx 3 + βx 2 + γ x + δ1 = 0,
which means that 1, x, x 2 , x 3 are linearly dependent over Z2 . But this was a basis of
Z2 [x]/(x 4 + x + 1), so we have drawn a contradiction. �
c0 1 + c1 a + c2 a2 + · · · + cn an = 0.
This is the same as saying that f (a) = 0 for f (t) = c0 + c1 t + · · · + cn t n from F[t],
so we have found an annihilating polynomial of degree at most n. �
Proof (i) Suppose that f (t) is the minimal annihilating polynomial of a and that it
is reducible, i.e., f (t) = g(t)h(t), where g(t) and h(t) can be considered monic and
each of degree strictly less that deg (f ). Then 0 = f (a) = g(a)h(a), whence (no zero
divisors in K) either g(a) = 0 or h(a) = 0, which contradicts the minimality of f (t).
150 5 Polynomials
(ii) Suppose that f (t) is the minimal annihilating polynomial of a and g(t) is any
other annihilating polynomial of a. Let us divide g(t) by f (t) with remainder:
a0 = (1 + x + x 3 )0 = 1 → 1000
a1 = (1 + x + x 3 )1 = 1 + x + x3 → 1101
a2 = (1 + x + x 3 )2 = 1 + x3 → 1001
a3 = (1 + x + x 3 )3 = x2 + x3 → 0011
a4 = (1 + x + x 3 )4 = 1 + x2 + x3 → 1011
These five are already linearly dependent, so we don’t have to compute any further
powers. Now we use Linear Dependency Relationship Algorithm to find a linear
dependency between these tuples. We place them as columns in a matrix and take it
to the row reduced echelon form:
⎡ ⎤ ⎡ ⎤
11101 10001
⎢ 0 1 0 0 0 ⎥ rref ⎢ 0 1 0 0 0 ⎥
⎢ ⎥ ⎢ ⎥
⎣ 0 0 0 1 1 ⎦ −→ ⎣ 0 0 1 0 0 ⎦ ,
01111 00011
Exercises
1. What is the dimension of the field F = GF(24 ) over its subfield F1 = GF(22 )?
2. Let K = Z2 [x]/(1 + x + x 4 ) as introduced in Example 5.2.3. Find the minimal
annihilating polynomial over Z2 for:
(a) α = 1 + x + x 2 ;
(b) α = 1 + x.
3. Let K be the field K = Z2 [x]/(x 4 + x 3 + 1). Then K is an extension of Z2 .
(a) Create a table for K as in Example 5.2.3. Check that x is a primitive element
of this field.
(b) Find the minimal annihilator polynomials for x, x 3 and x 5 over Z2 .
(c) Calculate (x 100 + x + 1)(x 3 + x 2 + x + 1)15 + x 3 + x + 1 in the most efficient
way and represent it as a power of x and as a polynomial in x of degree at
most 3.
4. Generate a field consisting of 16 elements using GAP. It will give you:
gap> F:=GaloisField(2ˆ4);
GF(2ˆ4)
gap> AsList(F);
[ 0*Z(2), Z(2)ˆ0, Z(2ˆ2), Z(2ˆ2)ˆ2, Z(2ˆ4), Z(2ˆ4)ˆ2, Z(2ˆ4)ˆ3, Z(2ˆ4)ˆ4,
Z(2ˆ4)ˆ6, Z(2ˆ4)ˆ7, Z(2ˆ4)ˆ8, Z(2ˆ4)ˆ9, Z(2ˆ4)ˆ11, Z(2ˆ4)ˆ12, Z(2ˆ4)ˆ13,
Z(2ˆ4)ˆ14 ]
(a) Explain why Z(24 )5 and Z(24 )10 are not listed among the elements.
(b) Using GAP find the polynomial in Z2 [x] of smallest degree of which Z(24 )7
is a root.
Chapter 6
Secret Sharing
Certain cryptographic keys, such as missile launch codes, numbered bank accounts
and the secret decoding exponent in an RSA public key cryptosystem, are so impor-
tant that they present a dilemma. If too many copies are distributed, one may be leaked.
If too few, they might all be lost or accidentally destroyed. Secret sharing schemes
invented by Shamir [1] and Blakley [2] address this problem, and allow arbitrarily
high levels of confidentiality and reliability to be achieved. A secret sharing scheme
‘divides’ the secret s into ‘shares’—one for every user—in such a way that s can be
easily reconstructible by any authorised subset of users, but an unauthorised subset
of users can extract absolutely no information about s. A secret sharing scheme, for
example, can secure a secret over multiple servers and remain recoverable despite
multiple server failures.
Secret sharing also provides a mechanism to facilitate a cooperation—in both
human and artificial societies—when cooperating agents have different status with
respect to the activity and certain actions are only allowed to coalitions that satisfy
certain criteria, e.g., to sufficiently large coalitions or coalitions with players of
sufficient seniority or to coalitions that satisfy a combination of both criteria. The
banking system where the employees are arranged into a hierarchy according to their
ranks or designations provides many examples. Simmons,1 for example, describes
the situation of a money transfer from one bank to another. If the sum to be transferred
is sufficiently large this transaction must be authorised by three senior tellers or two
vice-presidents. However, two senior tellers and a vice-president can also authorise
the transaction. Tassa2 provides another banking scenario. The shares of the vault
1 Simmons, G. (1990). How to (really) share a secret. In: Proceedings of the 8th annual international
key may be distributed among bank employees, some of whom are tellers and some
are department managers. The bank policy could require the presence of, say, three
employees in opening the vault, but at least one of them must be a departmental
manager.
More formally, we assume that the set of users is U = {1, 2, . . . , n} and D is the
dealer who facilitates secret sharing.3 It is always assumed that the dealer knows the
secret.
Definition 6.1.1 Let 2U be the power set4 of the set of all users U . The set ⊆ 2U
of all authorised coalitions is called the access structure of the secret-sharing scheme.
An access structure may be any subset of 2U such that
min = {{1, 2}, {1, 3}}, then user 1 is much more important than the two other
users. Without user 1 the secret cannot be accessed. But user 1 is not almighty. To
access the secret she needs to join forces with at least one other user.
Here are a couple of real life examples.
Example 6.1.2 Consider the situation of a money transfer from one bank to another.
If the sum to be transferred is sufficiently large this transaction must be authorised
by three senior tellers or two vice-presidents. However, two senior tellers and a
vice-president can also authorise the transaction.
Example 6.1.3 The United Nations Security Council consists of five permanent
members and 10 non-permanent members. The passage of a resolution requires
that all five permanent members vote for it, and also at least nine members in total.
We will deal with threshold access structures first. A very elegant construction by
Shamir realising the threshold access structure is based on Lagrange’s interpolation
polynomial and will be presented in the next section.
Exercises
1. Let U = {1, 2, 3, 4} and min = {{1, 2, 3}, {3, 4}}. List all authorised coalitions.
2. Write down the minimal authorised coalitions for the access structure in
Example 6.1.2. Assume that the vice-presidents are users 1 and 2 and the senior
tellers are users 3, 4, 5.
3. Find the number of minimal authorised coalitions in Example 6.1.3.
4. Let U1 and U2 be disjoint sets of users and let 1 and 2 be access structures over
U1 and U2 respectively. Let U = U1 ∪ U2 . Then
(a) The sum of 1 and 2 is 1 + 2 = {X ⊆ U | X ∩U1 ∈ 1 or X ∩U2 ∈ 2 }.
Prove that 1 + 2 is an access structure.
(b) The product of 1 and 2 is 1 × 2 = {X ⊆ U | X ∩ U1 ∈ 1 and
X ∩ U2 ∈ 2 }. Prove that 1 × 2 is an access structure.
5. Let be an access structure over a set of users U and let us define the dual
structure of as the set of complements of all unauthorised coalitions, i.e.,
= {X ⊆ U | X c ∈
/ }.
sufficiently large. Then the field Z p is large and we may assume that s ∈ Z p without
any danger that it can be easily guessed. Thus our secret will always be an element
of a finite field.
Suppose n users wish to share this secret by dividing it into ‘pieces’ in such a way
that any k people, where k is a fixed positive integer not exceeding n, can learn the
secret from their pieces, but no subset of less than k people can do so. Here the word
“dividing” must not be understood literally. Shamir proposed the following elegant
solution to this problem. The secret can be “divided into pieces” as follows. The
centre:
1. generates k random coefficients t0 , t1 , . . . , tk−1 ∈ Z p and sets the secret s to be
t0 ; k−1 i
2. forms the polynomial p(x) = i=0 ti x ∈ Z p [x];
3. gives user i the “piece” p(i), for i = 1, . . . , n. Practically it can be an electronic
card where a pair of numbers (i, p(i)) is stored.
Now, given any k values for p(x), one can use Theorem 5.1.2 to interpolate and to find
all coefficients of p(x) including the secret t0 = s. However, due to Corollary 5.1.1,
a subset of k−1 values for p(x) provides absolutely no information about s, since for
any possible s there is a polynomial of degree k−1 consistent with the given values
and the possible value of s.
Example 6.1.4 The company Dodgy Dealings Inc. has four directors. According to
a clause in the company’s constitution any three of them are allowed to get access
to the company’s secret offshore account. The company set up a Shamir’s threshold
access secret sharing scheme for facilitating this clause with the secret password
being an element of Z7 . According to this scheme the system administrator issued
magnetic cards to the directors as required.
Suppose that three directors with the following magnetic cards
1 2 4
3 0 6
gathered to make a withdrawal from their offshore account. Show how the secret
password can be calculated.
Solution. A quadratic polynomial p(x) = t0 + t1 x + t2 x 2 ∈ Z7 [x] satisfies
If in Shamir’s scheme the enumeration of users is publicly known, then only the
value p(i) must be given to the ith user. In this case the secret s and each share p(i)
are both an element of the same field and need the same number of binary digits to
encode them. As we will see one cannot do any better.
Exercises
1. According to the 3-out-of-4 Shamir’s threshold secret sharing scheme the admin-
istrator issued electronic cards to the users:
1 2 3 4
4 4 x 0
2. Shamir’s secret sharing scheme is set up so that the secret is an element of Z31
and the threshold is 3 which means that any three users are authorised. Show how
the secret can be reconstructed from the shares
1 5 7
16 7 22
3. The league club Crawlers United has six senior board members. Each year the
club holds an anniversary day, and on this day the senior board members have a
duty to open the club vault, take out the club’s meager collection of trophies, and
put them on display. According to a clause in the club’s constitution any four of
them are allowed to open the vault. The club set up a Shamir’s threshold access
secret sharing scheme for facilitating this clause with the secret password being
an element of Z97 . According to this scheme the administrator issued electronic
cards to the senior board members as required.
Suppose that four senior board members are gathered to open the vault with the
following cards:
1 2 4 6
56 40 22 34
Let us see now how we can define a secret sharing scheme formally.
Let S0 , S1 , . . . , Sn be finite sets where S0 will be interpreted as a set of all possible
secrets and Si will be interpreted as a set of all possible shares that can be given to
user i. Suppose |Si | = m i . We may think of a very large table, consisting of up to
M = m 0 m 1 · · · m n rows, where each row contains a tuple
(s0 , s1 , . . . , sn ), (6.2)
where si comes from Si (and all rows are distinct). Mathematically, the set of all such
(n + 1)-tuples is denoted by the Cartesian product S0 × S1 × . . . × Sn . Any subset
T ⊆ S0 × S1 × . . . × Sn
(s0 , s1 , . . . , sn ) ∈ T
is chosen by the dealer from T at random uniformly among those tuples whose first
coordinate is s0 . Then user i gets the share si ∈ Si .
There is only one but essential component of a secret sharing scheme that we
have not introduced yet. We must ensure that every authorised coalition must be
able to recover the secret. Thus we need to have, for every authorised coalition
X = {i 1 , i 2 , . . . , i k } ∈ , a secret recovery function (algorithm)
with the property that f X (si1 , si2 , . . . , sik ) = s0 for every (s0 , s1 , s2 , . . . , sn ) ∈ T .
In particular, in the distribution table there cannot be tuples (s, . . . , si1 , . . . , si2 , . . . ,
sik , . . .) with s = s0 .
6.2 A General Theory of Secret Sharing Schemes 159
The two secret recovery functions s0 = f {1,2} (s1 , s2 ) and s0 = f {1,3} (s1 , s2 ) can be
given by the tables
respectively. Note that the function f {2,3} does not exist. Indeed, when (s2 , s3 ) =
(0, 0) the secret s0 can take values 0, 1, 2 so f {2,3} (0, 0) is not defined.
Example 6.2.2 (n-out-of-n scheme) Let us design a secret sharing scheme with n
users such that the only authorised coalition is the grand coalition, that is the set
U = {1, 2, . . . , n}. We need a sufficiently large field F and set S0 = F so that it is
infeasible to try all secrets one by one. We will also have Si = F for all i = 1, . . . , n.
To share a secret s ∈ F the dealer generates n−1 random elements s1 , s2 , . . . , sn−1
∈ F and calculates sn = s − (s1 + · · · + sn−1 ). Then he gives share si to user i.
n distribution table T will consists of all n-tuples (s0 , s1 , s2 , . . . , sn ) such that
The
i=1 si = s0 and the secret recovery function (in this case the only one) will be
fU (s1 , s2 , . . . , sn ) = s1 + s2 + · · · + sn .
The distribution table is convenient for defining the secret sharing scheme, how-
ever, in practical applications it is usually huge, so schemes are normally defined
differently.
160 6 Secret Sharing
and will be unable to determine which row was chosen by the dealer. So the scheme
in that example is perfect.
The scheme from Example 6.2.2 is obviously perfect. Let us have another look at
the perfect secret sharing scheme invented by Shamir and specify the secret recovery
functions.
Example 6.2.3 ([1]) Suppose that we have n users and the access structure is now
= {X ⊆ U | |X | ≥ k}, i.e., a coalition is authorised if it contains at least k users.
Let F be a large finite field and put Si = F for i = 0, 1, . . . , n. Let a1 , a2 , . . . , an
be distinct fixed publicly known nonzero elements of F (in the earlier example we
took ai = i).
Suppose s ∈ F is the secret to share. The dealer randomly generates t0 , t1 , . . . , tk−1
∈ F, sets s = t0 , and forms the polynomial
Then she gives the share si = p(ai ) to user i. Note that s = p(0).
Suppose now X = {i 1 , i 2 , . . . , i k } is a minimal authorised coalition. Then the
secret recovery function is
k
(−ai1 ) · · · (−a ir ) · · · (−ai k )
f X (si1 , si2 , · · · , sik ) = sir ,
r =1 (air − ai1 ) · · · (ai
r − air ) · · · (air − ai k )
where the hat over the term indicates its non-existence. This is the value at zero of
Lagrange’s interpolation polynomial
k
(x − ai1 ) · · · (x − air ) · · · (x − aik )
p(air ) ,
r =1
(air − ai1 ) · · · (air − air ) · · · (air − aik )
We now may use the idea in Example 6.2.2 to construct a perfect secret sharing
scheme for an arbitrary access structure . We will illustrate this method in the
following.
Example 6.2.4 Let U = {1, 2, 3, 4} and min = {{1, 2}, {2, 3}, {3, 4}}. Let s ∈ Z p
be a secret. Firstly we consider three coalitions of users {1, 2}, {2, 3} and {3, 4}
separately and build 2-out-of-2 schemes on each of these sets of users. Under the
first scheme users 1 and 2 will get shares a and s − a, under the second scheme users
2 and 3 get shares b and s − b and under the third scheme users 3 and 4 get shares c
and s − c. Thus altogether users will get the following shares:
1 ← a,
2 ← (s − a, b),
3 ← (s − b, c),
4 ← s − c.
Let us show that this scheme is perfect. For this we have to consider every maximal
non-authorised coalition and show that it has no clue about the secret. It is easy
to see that every coalition of three or more players is authorised. So the maximal
non-authorised coalitions will be {1, 3}, {1, 4}, {2, 4}. The coalition {1, 3} will know
values a, s − b and c. Since a, b, c were chosen randomly and independently, a, s − b
and c are also three random independent values which contain no information about
s. Similarly for {1, 4} and {2, 4}. Note that under this scheme users 2 and 3 will have
to hold as their shares two elements of Z p each. Their shares will be twice as long
as the secret (in binary representation).
Theorem 6.2.1 For any access structure there exists a perfect secret sharing
scheme which realises it.
Sketch of the proof. Let us consider the set min of all minimal authorised coalitions.
Suppose a user m belongs to q authorised coalitions W1 , W2 , . . . , Wq whose cardi-
nalities are m 1 , m 2 , . . . , m q . We then consider q separate smaller access structures
where the ith one will be defined on the set of users Wi and will be an m i -out-of-m i
access structure. Let si be the share received by user i in this reduced access struc-
ture. So, in total, user i receives the vector of shares (s1 , s2 , . . . , sq ). As the access
structure is public knowledge, user i will use his share si only when an authorised
coalition with his participation contains Wi . If a coalition is not authorised, then
it does not contain any of the W1 , W2 , . . . , Wq and it is possible to show that its
participants cannot get any information about the secret. �
Under this method if a user belongs to k minimal authorised coalitions, then she
will receive k elements of the field to hold as her share.
Suppose 2d−1 ≤ |S0 | < 2d or
log2 |S0 | = d. Then we can encode elements of
S0 (secrets) using binary strings of length d. In this case we say that the length of
162 6 Secret Sharing
the secret is d. Similarly we can talk about the lengths of the share that user i has
received. We say that the information ratio of the secret sharing scheme S is
n
log2 |Si |
i(S) = max .
i=1
log2 |S0 |
This number is the maximal ratio of the amount of information that must be conveyed
to a participating user to the amount of information that is contained in the secret.
In the secret sharing literature it is also common to use the term information rate,
which is the inverse of the information ratio. The information ratio of the scheme
constructed in Theorem 6.2.1 is terrible. For example, for the ( n2 +1)-out-of-n scheme
n
(assume that n is even) every user belongs to n/2 authorised coalitions, which by
√
Stirling’s formula grows approximately as 2n / n. More precisely, we will have
2 2n
i(S) ∼ ·√ ,
π n
i.e., the information ratio of such scheme grows exponentially with n. We know we
can do much better: the information ratio of Shamir’s scheme is 1. However, for
some access structures the information ratio can be large. It is not known exactly
how large it can be.
Exercises
1. Consider the secret sharing scheme with the following distribution table.
s0 s1 s2 s3 s4 s5 s6
0 0 0 1 1 2 2
0 0 0 2 2 1 1
0 1 1 2 2 0 0
0 1 1 0 0 2 2
0 2 2 0 0 1 1
0 2 2 1 1 0 0
1 0 1 1 2 2 0
1 0 2 2 1 1 0
1 1 2 2 0 0 1
1 1 0 0 2 2 1
1 2 0 0 1 1 2
1 2 1 1 0 0 2
(a) What is the domain of the secrets? What are the domains of the shares?
(b) Show that the coalition of users {1, 2} is authorised but {1, 3, 5} is not.
(c) Give the table for the secret recovery function for the coalition {1, 2}.
6.2 A General Theory of Secret Sharing Schemes 163
Let us look at Shamir’s scheme from a different perspective. We can observe that the
vector of the shares (where we think that the secret is the share of the dealer) can be
obtained by the following matrix multiplication as
⎡ ⎤
1 0 0 ... 0 ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
⎢ 1 2 k−1 ⎥ t0 p(0) s0
⎢ a1 a1 . . . a1 ⎥ ⎢ t ⎥ ⎢ p(a ) ⎥ ⎢ s ⎥
⎢ ⎥⎢ 1 ⎥ ⎢ 1 ⎥ ⎢ 1⎥
⎢ 1 a2 a22 . . . a2k−1 ⎥ ⎢ . ⎥ = ⎢ . ⎥ = ⎢ . ⎥, (6.5)
⎢ ⎥ ⎣ .. ⎦ ⎣ .. ⎦ ⎣ .. ⎦
⎣... ... ... ... ... ⎦
tk−1 p(an ) sn
1 an an2 . . . ank−1
and denote the rows of H as h0 , h1 , h2 , . . . , hn . Then the following is true: the span
of a group of distinct rows {hi1 , hi2 , . . . , hir }, none of which is h0 , contains h0 if and
only if r ≥ k. We may now define the k-out-of-n access structure as follows:
This can be generalised by considering matrices H other than the one in (6.6).
Hr t = sr (6.8)
Example 6.2.5 Let U = {1, 2, 3} and min = {{1, 2}, {1, 3}}. We can realise this
access structure by a linear scheme. Consider the matrix
⎡ ⎤
1 0
⎢1 1⎥
H =⎢ ⎥
⎣ 1 −1 ⎦ .
2 −2
The dealer may choose two random elements t0 , t1 from a field Z p for some large
prime p and calculate ⎡ ⎤
s0
⎢ s1 ⎥
⎢ ⎥ = H t0 ,
⎣ s2 ⎦ t1
s3
where s0 is taken as the secret and s1 , s2 and s3 are given as shares to users 1, 2 and
3, respectively. (Note that s0 = t0 .) If users 1 and 2 come together they can find t0
and t1 from the system of linear equations
1 1 t0 s
= 1
1 −1 t1 s2
6.2 A General Theory of Secret Sharing Schemes 165
because the determinant of this system is nonzero. Similarly, 1 and 3 can also do
this. But, if 2 and 3 come together, they will face the system
1 −1 t0 s2
= ,
2 −2 t1 s3
which has exactly p solutions. Their shares therefore provide them with no informa-
tion about t0 and hence s0 .
Exercises
1. Determine the minimal authorised coalitions for the access structure realised by
the linear secret sharing scheme with the matrix
⎤
⎡
1 0
⎢1 1⎥
⎢ ⎥
H =⎢ ⎥
⎢ 2 −2 ⎥
⎣3 3⎦
4 −4
over Z11 .
2. Let F be a sufficiently large field Z p . Find the access structure which is realised
by the linear secret sharing scheme with the matrix
⎡ ⎤
1 0 0
⎢1 1 1⎥
⎢ ⎥
⎢1 2 4⎥
⎢ ⎥
H =⎢
⎢1 3 9⎥⎥.
⎢0 0 1⎥
⎢ ⎥
⎣0 0 2⎦
0 0 3
3. Let F be a sufficiently large field. Find the access structure which is realised by
the linear secret sharing scheme with the matrix
⎡ ⎤
1 0 0
⎢1 1 0⎥
⎢ ⎥
⎢1 2 0⎥
H =⎢ ⎥.
⎢1
⎢ 3 32 ⎥
⎥
⎣1 4 42 ⎦
1 5 52
4. Let F be a sufficiently large field. Find the access structure which is realised by
the linear secret sharing scheme with the matrix
166 6 Secret Sharing
⎡ ⎤
1 0 0
⎢1 a1 0 ⎥
⎢ ⎥
⎢1 a2 0 ⎥
⎢ ⎥
H = ⎢1 a3 a32 ⎥ ,
⎢ ⎥
⎢ ⎥
⎣1 a4 a42 ⎦
1 a5 a52
These users got shares 2, 27, 20, 10, 16, respectively, which are also elements
of Z31 . Let A = {1, 2, 3} and B = {1, 4, 5} be two coalitions.
(a) Show that one of the coalitions is authorised and the other is not.
(b) Show how the authorised coalition can determine the secret.
6. Let H be an (n + 1) × k matrix over a field F and H be the access structure
defined by the formula (6.7). Let us represent the ith row hi of this matrix as
hi = (ci , hi ), where ci ∈ F is the first coordinate of hi and hi is a (k − 1)-
dimensional row vector of the remaining coordinates. Suppose the coalition
{i 1 , i 2 , . . . , ir } is not authorised in H . Then
r
r
λ j h j = 0 =⇒ λjcj = 0
j=1 j=1
for all λ1 , λ2 , . . . , λr .
7. Let U and V be disjoint sets of k and m users, respectively. Let M and N be two
matrices realising linear secret sharing schemes with access structures M and
N . Find the matrix realising the access structures
(a) M + N ,
(b) M × N
on the set of users U ∪ V .
8. Prove that the access structure min = {{1, 2}, {2, 3}, {3, 4}} on the set of users
U = {1, 2, 3, 4} cannot be realised by a linear secret sharing scheme.
9. Let n > 2. The access structure with the set of minimal authorized coalitions
6.2 A General Theory of Secret Sharing Schemes 167
Given a secret sharing scheme with access structure , a user is called a dummy if
she does not belong to any minimal authorised coalition in min . A dummy user can
be removed from any authorised coalition without making it non-authorised.
Theorem 6.2.3 Let S0 be the set of possible secrets and Si be the set of possible
shares that can be given to user i in a secret sharing scheme S. If this scheme is
perfect and has no dummy users, then |Si | ≥ |S0 | for all i = 1, . . . , n or i(S) ≥ 1.
Proof Let i be an arbitrary user. Since no dummies exist, i belongs to one of the
minimal authorised coalitions, say X = {i 1 , i 2 , . . . , i k }, and with no loss of generality
we may assume that i = i k . Suppose that there is a tuple (s0 , s1 , . . . , sn ) ∈ T in the
distribution table where s0 is the secret shared and si1 , si2 , . . . , sik−1 are the shares
given to users i 1 , i 2 , . . . , i k−1 . Since the scheme is perfect the distribution table
contains tuples (s, . . . , si1 , . . . , si2 , . . . , sik−1 , . . .) for every s ∈ S0 . However, if we
add user i = i k we get the coalition X which is authorised and can recover the secret.
Thus, when the shares si1 , si2 , . . . , sik−1 of users i 1 , i 2 , . . . , i k−1 are fixed the secret
depends on the share of the user i only. Hence for every possible secret s there is a
share t (s) which, if given to the user i, leads to recovery s as the secret by coalition
X and can be calculated using the secret recovery function f X of coalition X , that is
L = {X ⊆ U | span{L i | i ∈ X } ⊇ L 0 }.
6.2 A General Theory of Secret Sharing Schemes 169
Now the secret and the shares will be finite-dimensional vectors over F. Let
{L 0 , L 1 , . . . , L n } be subspaces of F k satisfying the property all-or-nothing. Let Hi
be the matrix whose rows form a basis of L i . Then we generate random vectors ti of
the same dimension as dim L i and calculate the secret and the shares as si = Hi ti ,
i = 0, 1, . . . , n. As in the Theorem 6.2.2 it leads to a perfect secret sharing scheme
realising L , however it may not be ideal as the following example shows.
This family satisfies the property all-or-nothing. The access structure associated with
it can be given by the set of minimal authorised coalitions as:
Since the secret is 2-dimensional and some shares are 3-dimensional the information
rate of such scheme will be 3/2. As 3/2 < 2 this is a more efficient secret sharing
scheme realising than the one in Example 6.2.4. In fact, it can be proved that the
scheme for this example is optimal for in the sense that it gives the best possible
information rate.
Exercises
1. Let T be the distribution table of a perfect ideal secret sharing scheme with the
set of users, U = {1, 2, . . . , n}, the dealer 0 and the cardinality of the domain of
secrets q. Prove that
(i) If a coalition C is authorised and C = C ∪ {0}, then #TC = #TC ;
(ii) If a coalition C is not authorised and C = C ∪ {0}, then #TC = q · #TC .
2. Prove all the missing details in Example 6.2.8.
3. In this exercise we consider the case when for an access structure of a secret
sharing scheme with distribution table T all minimal authorised coalitions have
size 2. In this case min can be interpreted as edges of a graph G() defined on
U = {1, 2, . . . , n}. We assume that this graph is connected. Let the cardinality of
the domain of secrets be q.
(i) Show that, if {i, j} ∈ min , then #T{i, j} = q 2 .
(ii) Prove that #TU ∪{0} = q 2 .
/ min , then #T{i, j} = q.
(iii) Prove that if {i, j} ∈
170 6 Secret Sharing
(iv) Prove that if {i, j} and { j, k} are both not authorised, then {i, k} is not autho-
rised too.
(v) Prove the following theorem proved in [3].
Theorem 6.2.5 Let be an ideal access structure such that all minimal authorised
coalitions have size 2 and G() is connected. Then the complementary graph of
G() is a disjoint union of cliques.5
References
1. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)
2. Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the National Computer
Conference, vol. 48, pp. 313–317 (1979)
3. Brickell, E.F., Davenport, D.M.: On the classification of ideal secret sharing schemes. J. Cryptol.
4, 123–134 (1991)
4. Stinson, D.R.: An explication of secret sharing schemes. Des. Codes Cryptogr. 2, 357–390
(1992)
This chapter deals with the problem of reliable transmission of digitally encoded
information through an unreliable channel. When we transmit information from a
satellite, or an automatic station orbiting the moon, or from a probe on Mars, then
for many reasons (e.g., sun-bursts) our message can be distorted. Even the best
telecommunication systems connecting numerous information centres in various
countries have some non-zero error rate. These are examples of transmission in
space. When we save a file on a hard disc and then try to read it one month later, we
may find that this file have been distorted (due, for example, to microscopic defects
on the disc’s surface). This is an example of transmission in time. The channels
of transmission in both cases are different but they have one important feature in
common: they are not 100 % reliable. In some cases even a single mistake in the
transmission of a message can have serious consequences. We will show how algebra
can help to address this important problem.
We think of a message as a string of symbols of a certain alphabet. The most
common is the alphabet consisting of two symbols 0 and 1. It is called the binary
alphabet and we can interpret these symbols as elements of the finite field Z2 . Some
non-binary alphabets are also used, for example, we can use the symbols of any finite
field F. But we will initially concentrate on the binary case.
The symbols of the message are transmitted through the channel one by one. Let
us see what can happen to them. Since mistakes in the channel do occur, we assume
that, when we transmit 0, with probability p > 1/2 we receive 0 and with probability
1 − p we receive 1 as a result of a mistake in the channel. Similarly, we assume that
transmitting 1 we get 1 with probability p and 0 with probability 1 − p. Thus we
assume that the probability of a mistake does not depend on the transmitted symbol.
In this case the channel is called symmetric. In our case we are talking about a binary
symmetric channel. It can be illustrated as follows:
x⊕1
1−p
p
x
Here the error is modeled by means of addition modulo 2. Let x be the symbol to
be transmitted. If transmission is perfect, then x will also be the symbol received, but
if a mistake occurs, then the message received will be x ⊕ 1, where the addition is
in the field Z2 . Indeed, 0 ⊕ 1 = 1 and 1 ⊕ 1 = 0. Thus the mistake can be modeled
algebraically as the addition of 1 to the transmitted symbol.
In practical situations p is very close to 1, however, even when p = 0.98, among
any 100 symbols transmitted, on average two will be transmitted with an error. Such a
channel may not be satisfactory to transfer some sensitive data and an error-correction
technique must be implemented.
Binary error-correcting codes are used when messages are strings of zeros and ones,
i.e., the alphabet is Z2 = {0, 1}.
If we transmit symbols of our message one by one, then there is no way that we can
detect an error. That is why we will try to split the message into blocks of symbols
of fixed length m. Any block of m symbols
a1 a2 . . . am , ai ∈ Z2
b = a + ei ,
b = a + ,
where = ei1 + · · · + eik is a vector with k ones and m − k zeros. In this case is
called the error vector.
Proof The first two properties are obvious. Let us prove the third one. Suppose
that xi = zi and the position i contributes 1 to d(x, z). Then either xi = yi and
yi = zi or xi = yi and yi = zi . Hence the ith position will also contribute 1 to the
sum d(x, y) + d(y, z). Suppose now that xi = zi and the position i contributes 0
to d(x, z). Then either xi = yi = zi and the ith position contributes also 0 to the
sum d(x, y) + d(y, z) or xi = yi = zi and the ith position contributes 2 to the
sum d(x, y) + d(y, z). Hence the right-hand side is not smaller than the left-hand
side. �
The following sets play a special role in coding theory. For any x ∈ Zm2 we define
Bk (x) = {y ∈ Zm
2 | d(x, y) ≤ k}, and we call it the ball of radius k with centre x.
Proof Let y ∈ Bk (x). We may consider the “error vector” e such that y = x + e. Then
y ∈ Bk (x) if and only
if wt(e) ≤ k. It is enough to prove that, for each i = 1, . . . , k,
there are exactly mi vectors e ∈ Zm 2 such that wt(e) = i. Indeed, we must choose i
positions out of m in the zero vector and change the coordinates there to ones. Hence
every vector e with wt(e) = i corresponds to an i-element subset of {1, 2, . . . , m}.
We know that there are exactly
m m!
=
i i!(m − i)!
such subsets. (see, for example, [1], p. 271). Now it is clear that the formula (7.1)
counts all “error vectors” of weight at most k, and hence all vectors y which are at
Hamming distance k or less from x. �
Exercises
u = (1 1 0 1 1 1 0), v = (1 0 0 0 1 1 1).
By now we have already understood the convenience of having all messages of equal
length, say m. Longer messages can be split into several shorter ones. The idea of
error-correction is to increase the length m of a transmitted message and to add to
each message several auxiliary symbols, the so-called check symbols, which will not
bear any information but will help to correct errors. Hence we increase the length of
every message from m to n, where m < n.
Example 7.1.4 (Parity check code) This code increases the length of a message by
1 adding only one check symbol which is the sum modulo 2 of all other symbols.
That is
E(x1 , x2 , . . . , xm ) = (x1 , x2 , . . . , xm+1 ),
where xm+1 = x1 + · · · + xm . Note that the sum of all coordinates for any of the
codevectors is equal to 0:
Let us see now what happens if one mistake occurs. In this case for the received
vector y = (y1 , y2 , . . . , ym+1 ) we will get
y1 + · · · + ym+1 = x1 + · · · + xm+1 + 1 = 0 + 1 = 1.
Example 7.1.5 (Triple repetition code) This code increases the length of a message
threefold by repeating every symbol three times:
E(x1 , x2 , . . . , xm ) = (x1 , x2 , . . . , xm , x1 , x2 , . . . , xm , x1 , x2 , . . . , xm ).
Decoding may be organised as follows. To decide on the first symbol the algorithm
inspects y1 , ym+1 , and y2m+1 . If the majority (two or three) of these symbols are 0’s,
then the decoding algorithm decides that a 0 was transmitted, while if the majority of
symbols are 1’s, then the algorithm decides that a 1 was sent. This code will correct
any single error but will fail to correct some double ones.
Definition 7.1.5 Suppose that for all y ∈ Zn2 the vector x = D(y) is such that the
vector E(x) is the closest (in respect to the Hamming distance) codeword to y (any
of them if there are several within the same distance), then we say that the decoding
function D satisfies maximum likelihood decoding.
Proof We will prove that (c) ⇒ (b) ⇒ (a) ⇒ (c). Suppose that the minimum
distance between any two codewords is at least k + 1. Then, for any codeword x,
7.1 Binary Error-Correcting Codes 177
the ball Bk (x) does not contain any other codeword, hence (c) ⇒ (b). Further, if a
combination of k or fewer errors occurs, by Proposition 7.1.2 the received vector y
will be in Bk (x). As there are no codevectors in Bk (x), other than x, the error will be
detected, hence (b) ⇒ (a). Finally, for a maximum likelihood decoder to be able to
detect all combinations of k or fewer errors, for any codeword x all vectors in Bk (x)
must not be codewords. Hence the distance between any two codewords is at least
k + 1, thus (a) ⇒ (c). �
Theorem 7.1.4 For a code C the following statements are equivalent:
(a) C corrects all combinations of k or fewer errors.
(b) For any two codewords x and y of C the balls Bk (x) and Bk (y) do not intersect.
(c) The minimum distance between any two codewords of C is at least 2k + 1.
Proof We will prove that (c) ⇒ (b) ⇒ (a) ⇒ (c). Suppose that the minimum
distance between any two codewords is at least 2k + 1. Then, for any two codewords
x and y the balls Bk (x) and Bk (y) do not intersect. Indeed, if they did, then for a
certain z ∈ Bk (x) ∩ Bk (y)
d(x, z) ≤ k, d(y, z) ≤ k.
which is a contradiction, hence (c) ⇒ (b). Further, if no more than k mistakes happen
during the transmission of a vector x, the received vector y will be in the ball Bk (x)
and will not be in the ball of radius k for any other codeword. Hence y is closer to x
than to any other codevector. Since the decoding is a maximum likelihood decoding
y will be decoded to x and all mistakes will be corrected. Thus (b) ⇒ (a).
On the other hand, it is easy to see that if the distance d between two codewords
x and y does not exceed 2k, then certain combinations of k or fewer errors will not
be corrected. To show this let us change d coordinates of x, one by one, and convert
it into y:
x = x0 → x1 → · · · → xk → · · · → xd = y.
Then xk will be no further from y than from x. Hence if k mistakes take place and
the received vector is xk , then it may be decoded as y (even if d = 2k). This shows
that (a) ⇒ (c). �
Exercises
1. Consider the triple repetition (4, 12)-code. Find a necessary and sufficient con-
dition on the error vector e = (e1 , e2 , . . . , e12 ) for the message to be decrypted
correctly. Give an example of an error vector e of Hamming weight 4 which the
code corrects.
178 7 Error-Correcting Codes
an important object. It is so important that it is often identified with the code itself and
also denoted C. We will also do this when it invites no confusion and the encoding
function is clear from the context. We saw that it is extremely important to spread
C = E(Zm n
2 ) in Z2 uniformly and that the most important characteristic of C is the
minimum distance between any two codewords of C
Theorem 7.1.5 A code C detects all combinations of k or fewer errors if and only
if dmin (C) ≥ k + 1 and corrects all combinations of k or fewer errors if and only if
dmin (C) ≥ 2k + 1.
dmin 1 2 3 4 5 6 7 8 9
Errors detected 0 1 2 3 4 5 6 7 8
Errors corrected 0 0 1 1 2 2 3 3 4
It can be proved by induction that any two distinct rows of Hn are orthogonal (see
Exercise 2). This, in turn, is equivalent to the matrix equation
Definition 7.1.6 An n × n matrix H with entries from {+1, −1} satisfying (7.2) is
called a Hadamard matrix.
The orthogonality of the rows of Hn means that any two rows of Hn coincide in
2n−1 positions and also differ in 2n−1 positions. Hence if we replace each −1 with
a 0, we will have a set of vectors with minimum distance 2n−1 . For example, if we
do this with the rows of H3 shown above we will get eight vectors with minimum
distance 4. We can use these vectors for the construction of a code. For example,
( 0 0 0 ) → ( 1 1 1 1 1 1 1 1 ),
( 1 0 0 ) → ( 1 0 1 0 1 0 1 0 ),
( 0 1 0 ) → ( 1 1 0 0 1 1 0 0 ),
( 0 0 1 ) → ( 1 0 0 1 1 0 0 1 ),
( 1 1 0 ) → ( 1 1 1 1 0 0 0 0 ),
( 1 0 1 ) → ( 1 0 1 0 0 1 0 1 ),
( 0 1 1 ) → ( 1 1 0 0 0 0 1 1 ),
( 1 1 1 ) → ( 1 0 0 1 0 1 1 0 ).
When, in 1969, the Mariner spacecraft sent pictures to Earth, the matrix H5 was
used to construct 64 codewords of length 32 with minimum distance 16. Each pixel
had a darkness given by a 6-bit number. Each of them was changed to one of the
180 7 Error-Correcting Codes
64 codewords and transmitted. This code could correct any combination of 7 errors.
Since the signals from Mariner were fairly weak such an error-correcting capability
was really needed.
We may also define the minimum weight of the code by
This concept will be also quite important, especially for linear codes.
We remind the reader of the definition of a subspace. Let F be a field and V be a
vector space over F. A subset W ⊆ V is a subspace if for any two vectors u, v ∈ W
and any two scalars α, β ∈ F the linear combination αu + βv is also an element of
W . In this case W becomes a vector space in its own right.
Exercise 7.1.2 Let W be the set of all vectors from Zn2 whose sum of all coordinates
is equal to zero. Show that W is a subspace of Zn2 .
for all x, y ∈ Zm
2.
Proposition 7.1.3 For any linear code the set of codewords C is a subspace of Zn2 .
In particular, the zero vector 0 is a codeword.
Proof We will prove that C is a subspace of Zn2 if we show that the sum of any two
codewords is again a codeword. (As our coefficients come from Z2 , linear combina-
tions are reduced to sums.) Let b, c be two codewords. Then b = E(x) and c = E(y)
and
b + c = E(x) + E(y) = E(x + y) ∈ C.
In particular, 0 = b + b ∈ C. �
Proof Suppose dmin (C) = d(a, b). Then as we know from Lemma 7.1.1 d(a, b) =
wt(a + b), and since a + b ∈ C we get
On the other hand, if wtmin (C) = wt(a), then, again by Lemma 7.1.1, wt(a) =
d(0, a), and hence
dmin (C) ≤ wtmin (C).
0 = (0 0 0) → (0 0 0 0 0 0) = 0
a1 = (1 0 0) → (1 0 0 1 0 0) = c1
a2 = (0 1 0) → (0 1 0 1 1 1) = c2
a3 = (0 0 1) → (0 0 1 0 1 1) = c3
a1 + a2 = (1 1 0) → (1 1 0 0 1 1) = c1 + c2
a1 + a3 = (1 0 1) → (1 0 1 1 1 1) = c1 + c3
a2 + a3 = (0 1 1) → (0 1 1 1 0 0) = c2 + c3
a1 + a2 + a3 = (1 1 1) → (1 1 1 0 0 0) = c1 + c2 + c3 ,
it is easy to see that it is linear. We see that C = Span{c1 , c2 , c3 }, and dmin (C) =
wtmin (C) = wt(c1 ) = 2.
Exercises
E(e1 ) = g1 , . . . , E(em ) = gm ,
where ⎡⎤
g1
⎢ g2 ⎥
⎢ ⎥
G=⎢ . ⎥
⎣ .. ⎦
gm
is the matrix with rows g1 , g2 , . . . , gm . Equation (7.3) shows that the code is the row
space of the matrix G, i.e., C = Row(G).
Definition 7.1.8 Let C = (E, D) be a linear (m, n)-code. Then the matrix G such
that
E(a) = aG,
for all a ∈ Zm
2 , is called the generator matrix of C.
E(a) = (a1 , a2 , a2 , a1 + a2 ).
Then
1001
E(a) = (a1 , a2 , a2 , a1 + a2 ) = a1 (1, 0, 0, 1) + a2 (0, 1, 1, 1) = (a1 , a2 ) .
0111
7.1 Binary Error-Correcting Codes 183
E(e1 ) = (1 0 . . . 0 1),
E(e2 ) = (0 1 . . . 0 1),
...
E(em ) = (0 0 . . . 1 1).
Hence ⎡ ⎤
1 0 ... 0 1
⎢0 1 ... 0 1⎥
G=⎢
⎣ ..
⎥ = [Im 1m ],
.. ... .. .. ⎦
0 0 ... 1 1
E(e1 ) = (1 0 . . . 0 1 0 . . . 0 1 0 . . . 0),
E(e2 ) = (0 1 . . . 0 0 1 . . . 0 0 1 . . . 0),
...
E(em ) = (0 0 . . . 1 0 0 . . . 1 0 0 . . . 1).
Hence ⎡ ⎤
10 ... 0 1 0 ... 0 1 0 ... 0
⎢0 1 ... 0 0 1 ... 0 0 1 ... 0⎥
G=⎢
⎣ .. ..
⎥ = [Im Im Im ].
... .. .. .. . . . .. .. .. . . . .. ⎦
00 ... 1 0 0 ... 1 0 0 ... 1
184 7 Error-Correcting Codes
Example 7.1.11 Let us define a linear (3, 5)-code by its generator matrix
⎡ ⎤
10001
G = ⎣0 1 0 1 0⎦.
00111
We see that the codeword E(a), which encodes a, consists of the vector a itself
embedded into the first three coordinates and two additional symbols.
Definition 7.1.9 A linear (m, n)-code C = (E, D) is called systematic if, for any
a ∈ Zm2 , the first m symbols of the codeword E(a) are the symbols of the word a,
i.e.,
E(a1 , a2 , . . . , am ) = (a1 , a2 , . . . , am , b1 , b2 , . . . , bn−m ).
info symbols check symbols
The symbols of a in E(a) are called the information symbols and the remaining
symbols are called the check symbols. These are the auxiliary symbols which we
mentioned earlier.
Hence ⎡
⎤ ⎡ ⎤
g1 1 0 ... 0 a11 . . . a1n−m
⎢ g2 ⎥ ⎢
⎢ ⎥ ⎢0 1 ... 0 a21 . . . a2n−m ⎥
⎥ = [Im A].
G=⎢ . ⎥=⎣
⎣ .. ⎦ .. .. ... .. .. . . . ... ⎦
gm 0 0 ... 1 am1 . . . amn−m
Definition 7.1.10 Two (m, n)-codes C 1 = (E1 , D1 ) and C 2 = (E2 , D2 ) are called
equivalent if, for every a ∈ Zm
2 , their respective codewords E1 (a) and E2 (a) differ
only in the order of symbols, moreover the permutation that is required to obtain
E1 (a) from E2 (a) does not depend on a.
7.1 Binary Error-Correcting Codes 185
(0 0) → (0 0 0 0) (0 0) → (0 0 0 0)
(0 1) → (0 1 0 1) (0 1) → (0 1 0 1)
(1 0) → (1 0 0 1) (1 0) → (0 1 1 0)
(1 1) → (1 1 0 0) (1 1) → (0 0 1 1)
are equivalent. The permutation that must be applied to the symbols of the first code
to obtain the second is (1 3)(2 4).
It is clear that two equivalent codes have the same minimum distance.
Theorem 7.1.7 Let C be a linear (m, n)-code with minimum distance d. Then there
is a systematic linear (m, n)-code with the same minimum distance d.
Proof Let C be a linear (m, n)-code with generator matrix G. When we perform
elementary row operations over the rows of G we do not change Row(G) and hence
the set of codewords (it will change the encoding function, however).
We may, therefore, assume that our matrix G is already in its reduced row echelon
form. Since G has full rank (its rows are linearly independent), we must have m pivot
columns which are the m columns of the identity matrix Im . Let the positions of these
columns be i1 , i2 , . . . , im . Then in a codeword E(a) we will find our information
symbols a1 , a2 , . . . , am in positions i1 , i2 , . . . , im . Moving these columns (and hence
the respective coordinates) to the first m positions, we will obtain a systematic code
which is equivalent to the given one. �
gives us a generator matrix G of a new code with the same minimum distance. It is
equivalent to the systematic code with the generator matrix
⎡ ⎤
100111
G = ⎣ 0 1 0 1 0 1 ⎦ ,
001011
is the generator matrix of the famous Golay code. This is a (12, 24)-code and its
minimum distance is 8. It was used by the Voyager I and Voyager II space-crafts
during 1979–1981 to provide error correction when the Voyagers transmitted to
Earth colour pictures of Jupiter and Saturn.
Exercises
E(a) = (a1 , a2 , a3 , a1 + a2 + a4 , a2 + a3 , a1 + a3 + a4 , a4 ).
The generator matrix of a code is a great tool for the sender since with its help
the encoding can be done by means of matrix multiplication. All she needs is to
store the generator matrix which contains all the information about the encoding
function. However, the generator matrix is not very useful at the receiving end. On
the receiving end we need another matrix—the parity check matrix, which we will
introduce below.
(of course in Z2 we have −aij = aij however we would like to leave the possibility
of a non-binary alphabet). Setting, as usual, the values of the free variables to be
188 7 Error-Correcting Codes
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
xm+1 1 0 0
⎢ xm+2 ⎥ ⎢ 0 ⎥ ⎢1⎥ ⎢0⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ = ⎢ .. ⎥ , ⎢ .. ⎥ , . . . , ⎢ .. ⎥ ,
⎣ . ⎦ ⎣.⎦ ⎣.⎦ ⎣.⎦
xn 0 0 1
we obtain a basis {f1 , f2 , . . . , fn−m } for the solution space of the system GxT = 0
calculating
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
−a11 −a12 −a1n−m
⎢ −a21 ⎥ ⎢ −a22 ⎥ ⎢ −a2n−m ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ ⎢ .. ⎥ ⎢ .. ⎥
⎢ . ⎥ ⎢ . ⎥ ⎢ . ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
T
⎢ −a ⎥
m1 ⎥ T
⎢ −a ⎥
m2 ⎥ T
⎢ −a ⎥
mn−m ⎥
⎢
f1 = ⎢ ⎢ ⎢
1 ⎥ , f2 = ⎢ 0 ⎥ , . . . , fn−m = ⎢ 0 ⎥.
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ 0 ⎥ ⎢ 1 ⎥ ⎢ 0 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ . ⎥ ⎢ . ⎥ ⎢ . ⎥
⎣ .. ⎦ ⎣ .. ⎦ ⎣ .. ⎦
0 0 1
We will show that the matrix H with rows {f1 , f2 , . . . , fn−m } is a parity check matrix
for this code. Indeed, HgiT = 0, hence for any codeword c ∈ C we have c =
a1 g1 + a2 g2 + · · · + am gm and
We have proved:
Theorem 7.1.8 Let C be a linear (m, n)-code. If G = (Im | A) is a generator matrix
of C, then H = (−AT | In−m ) is a parity check matrix of C.
This works in the other direction too: given an (n−m)×n matrix H = (A | In−m ),
where A is an (n − m) × m matrix, we can construct a linear (m, n)-code C with the
generator matrix G = (Im | −AT ) and it will have H as its parity check matrix.
Example 7.1.15 Suppose that the generator matrix for a binary (4, 7)-code is
⎡ ⎤
1 0 0 0 1 0 1
⎢0 1 0 0 0 1 1⎥
G=⎢
⎣0
⎥ = (I4 | A).
0 1 0 1 1 0⎦
0 0 0 1 0 1 0
7.1 Binary Error-Correcting Codes 189
Then ⎡ ⎤
1010 100
H = ⎣0 1 1 1 0 1 0 ⎦ = (AT | I3 ).
1100 001
Proof By Proposition 7.1.1 e = ei1 + ei2 + · · · + eis , where ej is the jth vector of the
standard basis of Zn2 . Then
S(b) = HbT = H(a + e)T = 0 + HeT = H(eiT1 + eiT2 + · · · + eiTs ) = hi1 + hi2 + · · · + his ,
S(b) = HbT = hi .
We now know where the mistake happened and can correct it. �
Exercises
1. Let ⎡ ⎤
12121
A = ⎣1 2 1 0 2⎦
21010
be a matrix over Z3 .
(a) Find a basis for the null space Null(A) of this matrix.
(b) List all vectors of the Null(A).
(c) Find among the nonzero vectors of Null(A) the vector whose weight is min-
imal.
2. Let us consider a binary code C given by its parity check matrix
⎡ ⎤
001 1101
⎢0 1 0 1 0 1 1⎥
H=⎢
⎣1 0 0
⎥.
0 1 1 1⎦
111 1110
(a) Compute the generator matrix for C. What is the number of information
symbols for this code?
(b) Will the code C correct any single mistake?
(c) Will the code C correct any two mistakes?
(d) Will the code C detect any two mistakes?
(e) Encode the message vector whose coordinates are all equal to 1;
(f) Decode y1 = (1 1 0 1 0 0 1) and y2 = (1 1 0 1 1 0 0);
(g) Show that a single mistake could not result in receiving the vector z =
(0 1 0 1 1 1 1). Show that two mistakes could result in receiving z.
1 Richard Wesley Hamming (1915–1998) He participated in the Manhattan Project that produced
the first atomic bombs during World War II. There he was responsible for running the IBM computers
in Los Alamos laboratory which played a vital role in the project. Later he worked for Bell Labs after
which he became increasingly interested in teaching and taught in a number of leading universities
in the USA. Hamming is best known for his work on error-detecting and error-correcting codes.
His fundamental paper on this topic “Error detecting and error correcting codes” appeared in April
1950 in the Bell System Technical Journal.
7.1 Binary Error-Correcting Codes 191
and Hamming metric are standard terms used today in coding theory but they are
also used in many other areas of mathematics.
We start with the Hamming (4, 7)-code. Let us consider the binary 3 × 7 matrix
⎡ ⎤
0001111
H = (h1 h2 h3 h4 h5 h6 h7 ) = ⎣ 0 1 1 0 0 1 1 ⎦ , (7.5)
1010101
Assuming that only one mistake happened, we know that this mistake occurred in the
second position. Hence the vector b = (1 1 1 0 0 0 0) was sent and a = (1 1 1 0)
was the original message.
This code is very interesting. It has 24 = 16 codewords and, since it corrects any
single error, it has minimum distance of at least 3. So, if we take a ball B1 (x) of
radius one centred at a codeword x, it will not intersect with other similar balls of
radius one around other codewords. Due to Theorem 7.1.2, every such ball will have
eight vectors of Z72 . In total, these balls will contain 16 · 8 = 128 = 27 vectors, that
is all vectors of Z72 . The whole space is the union of those unit balls! This means that
the Hamming (4,7)-code corrects all single mistakes but not a single double mistake
since any double mistake will take you to another ball. Lemma 7.1.2 provides an
alternative explanation of why any double mistake will not be corrected. Indeed, the
syndrome of a double mistake is the sum of the corresponding two columns of H.
However, since all three-dimensional vectors are used as columns of H, the sum of
any two columns will be a third column. This means that any double mistake will be
treated as a single mistake and will not be corrected.
Suppose, for example, that the vector a = (1 1 1 0) encoded as b =
(1 1 1 0 0 0 0), was sent, and the vector c = (0 1 1 0 0 0 1) was received
with mistakes in the first and the seventh positions. The syndrome of it is
⎡ ⎤
0
⎢1⎥
⎡ ⎤⎢ ⎥ ⎡ ⎤
0001111 ⎢ ⎢ 1⎥⎥ 1
S(c) = HcT = ⎣ 0 1 1 0 0 1 1 ⎦ ⎢ 0
⎢ ⎥
⎥ = h1 + h7 = ⎣ 1 ⎦ = h6 .
1010101 ⎢ ⎢0⎥
⎥ 0
⎣0⎦
1
Example 7.1.16 The Hamming (11, 15)-code is given by its parity check matrix
⎡ ⎤
0 0 0 0 0 0 0 1 1 1 11 1 1 1
⎢0 0 0 1 1 1 1 0 0 0 01 1 1 1⎥
H=⎢
⎣0
⎥.
1 1 0 0 1 1 0 0 1 10 0 1 1⎦
1 0 1 0 1 0 1 0 1 0 10 1 0 1
Exercises
1. We have defined the Hamming (4, 7)-code by means of the parity check matrix
H and we computed the generator matrix G, where
⎡ ⎤
⎡ ⎤ 100 0 011
1010101 ⎢0 1 0 0 1 0 1⎥
H = ⎣0 1 1 0 0 1 1⎦, G=⎢
⎣0 0 1
⎥.
0 1 1 0⎦
0001111
000 1 111
There is one particular class of linear codes the construction of which uses some
advanced algebra, and because of that these codes are very effective. In this section
we will consider (m, n)-codes obtained in this way. We will identify our messages
(strings of symbols of length m or vectors from Zm 2 ) with polynomials of degree at
most m − 1. More precisely, this identification is given by the formula
where b = (b0 , b1 , . . . , bn−1 ) ∈ Zn2 . Such a code is called a polynomial code and
the polynomial g(x) is called the generator polynomial of this code.
Theorem 7.1.10 The polynomial code C is linear with the following m×n generator
matrix ⎡ ⎤
g0 g1 . . . gk
⎢ g0 g1 . . . gk ⎥
⎢ ⎥
G=⎢ ⎢ g0 g1 . . . gk ⎥, (7.6)
⎥
⎣ ... ... ... ... ⎦
g0 g1 . . . gk
Proof The linearity of the encoding function follows from the distributive law for
polynomials. Suppose that E(a1 ) = b1 and E(a2 ) = b2 with a1 (x), b1 (x), a2 (x),
b2 (x) being the corresponding polynomials. We need to show that E(a1 + a2 ) =
b1 + b2 . Indeed, we have
= b1 (x) + b2 (x) → b1 + b2 ,
as required.
To determine the generator matrix we need to calculate E(e1 ), . . . , E(em ). We
have
ei → x i−1 → x i−1 g(x) = g0 x i−1 + g1 x i + · · · + gn−m x n−m+i−1
This must be the ith row of the generator matrix G. This gives us (7.6). �
7.1 Binary Error-Correcting Codes 195
Although for a polynomial code the generator matrix (7.6) is easy to obtain, it is
sometimes more convenient (and gives more insight) to multiply polynomials and
not matrices.
0001011
By row reducing G (when we change the encoding function but not the set of
codewords), we get
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
1 0 1 1 0 0 0 1 0 10 011 1 0 0 0 1 0 1
⎢0 1 0 1 1 0 0⎥ ⎢0 1 00 1 1 1⎥ ⎢0 1 0 0 1 1 1⎥
G=⎢
⎣0
⎥→⎢ ⎥→⎢ ⎥.
0 1 0 1 1 0⎦ ⎣0 0 10 1 1 0⎦ ⎣0 0 1 0 1 1 0⎦
0 0 0 1 0 1 1 0 0 01 011 0 0 0 1 0 1 1
Since it is now in the form (I4 | A), by Theorem 7.1.8 we may obtain its parity check
matrix H as (AT | I3 ), that is,
⎡ ⎤
1110100
H = (AT | I3 ) = ⎣ 0 1 1 1 0 1 0 ⎦ .
1101001
From this we observe that the code which we obtained is equivalent to the Hamming
code since H = (h5 , h7 , h6 , h3 , h4 , h2 , h1 ), where h1 , h2 , . . . , h7 are the columns
of the parity check matrix of the Hamming code. Hence it is equivalent to the (4,7)
Hamming code.
Exercises
Let g(x) = 1 + x + x 3 . Consider the polynomial (5, 8)-code C with g(x) as generator
polynomial. For this code
1. Encode a = (1 0 1 0 1).
2. Find the generator matrix G of the code C.
3. Find a systematic linear code C (in terms of its parity check matrix) which is
equivalent to C.
196 7 Error-Correcting Codes
This is one particularly good class of polynomial codes which was discovered inde-
pendently around 1960 by Bose, Chaudhuri and Hocquenghem. They enable us to
correct multiple errors. Since the construction of the generator polynomial for these
codes is based on a finite field of certain cardinality, we have to construct one first,
say F and then find its primitive element α.
In Chap. 5 we discussed a method of constructing a field which consists of pn
elements. It is unique up to isomorphism and denoted by GF(pn ). To construct it we
need to take Zp , find an irreducible polynomial m(x) over Zp of degree n and form
F = Zp [x]/(m(x)). There are very good tables of irreducible polynomials over Zp
of virtually any degree (see, for example, [2]).
BCH codes work equally well for binary and for non-binary alphabets but in this
section we put the main emphasis on the binary case. Therefore we will consider a
field F = GF(2r ) for some r which is an extension of Z2 . The general case is not
much different with only minor changes needed.
As usual we will consider (m, n)-codes, where m denotes the number of informa-
tion symbols and n the length of codewords. The minimum distance of the code we
will denote by d. For BCH codes we, first, have to decide on the length of the code-
words n and on the minimum distance d, then m will depend on these two parameters
but this dependence is not straightforward.
This restriction on the length is not important in applications because it is not
the length of codewords that is practically important (we may divide our messages
into segments of any length) but the speed of transmission, which is characterised
by the ratio m/n, and the error-correcting capabilities of the code, i.e., the minimum
distance d.
We use the extension Z2 ⊆ F for the construction. The length of the word n will
be taken to be the number of elements in the multiplicative group of the field F. As
we consider the binary situation, this number can only be n = 2r − 1, where r is
an arbitrary positive integer, since the field F of characteristic 2 may have only 2r
elements for some r.
Let α be a primitive element of F. Then it has multiplicative order n and the
powers 1 = α 0 , α, α 2 , . . . , α n−1 are all different. To construct g(x) we need to know
the minimal annihilating polynomials of α, α 2 , . . . , α d−1 . Let mi (x) be the minimal
annihilating polynomial of α i .
Theorem 7.1.11 The polynomial code of length n with the generator polynomial
Proof Since this code is linear, the minimum distance is the same as the minimum
weight. Hence it is enough to prove that there are no codewords of weight d − 1 or
7.1 Binary Error-Correcting Codes 197
less. Since the code is polynomial, all vectors from Zn2 are identified with polynomials
of degree smaller than n and the codewords are identified with polynomials which
are divisible by g(x). Hence, we have to show that there are no polynomials of degree
smaller than n which are multiples of g(x) and have less than d nonzero coefficients.
Suppose on the contrary that the polynomial
c1 α i1 + c2 α i2 + · · · + cd−1 α id−1 = 0
c1 α 2i1 + c2 α 2i2 + · · · + cd−1 α 2id−1 = 0
...
c1 α (d−1)i1 + c2 α (d−1)i2
+ · · · + cd−1 α (d−1)id−1
= 0.
β1 x1 + β2 x2 + · · · + βd−1 xd−1 = 0
β12 x1 + β22 x2 + · · · + βd−1
2
xd−1 = 0
...
β1d−1 x1 + β2d−1 x2 + · · · + βd−1
d−1
xd−1 = 0
has a nontrivial solution (c1 , c2 , . . . , cd−1 ). This can happen only if the determinant
of this system vanishes. This, however, contradicts the classical result of the theory
of determinants that, for any k > 1, the Vandermonde determinant
β1 β2 ... βk
2
β
1 β22 ... βk2
... ... ... . . .
βk β2k ... βk
1 k
is zero if and only if βs = βt for some s = t such that s ≤ k and t ≤ k (see the
Appendix for the proof). Indeed, in our case k = d − 1 and βs = α is = α it = βt
because is ≤ n − 1 and it ≤ n − 1. This contradiction proves the theorem. �
We note, first, that ai2 = ai as 02 = 0 and 12 = 1 for ai ∈ {0, 1}. We also note that
since 2x = 0 for all x ∈ F, then (x + y)2 = x 2 + y2 for all x, y ∈ F and by induction
Hence m(t) is also an annihilating polynomial for α 2 . Therefore the minimal irre-
ducible polynomial of α 2 must divide m(t). Since m(t) is irreducible, this is possible
only if it coincides with m(t). �
Example 7.1.19 Suppose that we need a code which corrects any two errors and has
length 15. Hence d = 5, and we need a field containing 16 elements. Such a field
K = Z2 [x]/(x 4 + x + 1) was constructed in Example 5.2.3. We also saw that the
multiplicative order of x was 15, hence x is a primitive element of F. Let α = x.
For correcting any two mistakes we need a code with minimum distance d = 5.
Theorem 7.1.11 tells us that we need to take the generator polynomial
g(t) = (t 4 + t + 1)(t 4 + t 3 + t 2 + t + 1) = t 8 + t 7 + t 6 + t 4 + 1.
7.1 Binary Error-Correcting Codes 199
Now we may say that m = n − deg (g) = 15 − 8 = 7 and our code C will be a
(7, 15)-code. It will correct any two errors.
A more practical example is a code widely used in European data communication
systems. It is a binary (231, 255)-code with a guaranteed minimum distance of 7.
The field consisting of 28 = 256 elements is used and the encoding polynomial has
degree 24.
Exercises
1. Construct a binary (m, n)-code with the length of codewords n = 15, which
corrects all triple errors, in following steps:
(a) Using the field K = Z2 [x]/(x 4 + x 3 + 1), compute the generating polynomial
g(t) of a binary BCH code with the length of the codewords n = 15 and with
a minimum distance 7.
(b) What is the number m of information symbols?
(c) Write down the generating matrix G of this BCH code.
(d) Encode the message which is represented by the string of m ones.
2. In European data communication systems a binary BCH (231, 255)-code is used
with guaranteed minimum distance 7. Using GAP find the generator polynomial
of this code.
Non-binary codes have many different uses. Any finite field Zp can be used as an
alphabet of a code if the channel allows us to distinguish p different symbols. Non-
binary codes can be used as an intermediate step in the construction of good binary
codes, and they can also be used in the construction of fingerprinting codes, which
we will discuss in the next section.
We will again consider (m, n)-codes. The encoding function of such a code will be a
mapping (normally linear) E : F m → F n for a certain finite field F which serves as
the alphabet. The Hamming weight and the Hamming distance are defined exactly
as for binary codes.
d(u, v) = wt(u − v) = wt (0 2 0 0 0 1 0) = 2.
If u was sent and v was received, then the error vector is e = v −u = (0 1 0 0 0 2 0).
200 7 Error-Correcting Codes
With non-binary codes we don’t have the luxury that −a = a anymore. With
ternary codes we have −a = 2a instead! But the following theorem is still true:
Theorem 7.2.1 A code C detects all combinations of k or fewer errors if and only
if dmin (C) ≥ k + 1 and corrects all combinations of k or fewer errors if and only if
dmin (C) ≥ 2k + 1.
The error correction capabilities of any code will again be dependent on the
minimum distance of the code, and the minimum distance for a linear code will be
equal to the minimum weight.
The concepts of generator matrix G and parity check matrix H are the same.
A little refinement must be made for finding G from H and the other way around.
Namely, if G = (Im | A), then H = (−AT | In−m ). Theorem 7.1.9 must be also
slightly generalised to allow the design of non-binary error-correcting codes capable
of correcting all single mistakes.
Theorem 7.2.3 A linear (non-binary) code with parity check matrix H corrects all
single mistakes if and only if no one column of H is a multiple of another column.
e = (0 . . . 0 a 0 . . . 0) = a(0 . . . 0 1 0 . . . 0).
HeT = ahi ,
The secret behind this matrix is that every nonzero column vector from Z33 is either a
column of H or a multiple of such a column. Then this code will be a (10, 13)-code
that corrects any single mistake. For example, the syndrome
⎡ ⎤
2
HyT = ⎣ 0 ⎦ = 2h7 ,
1
for y ∈ Z133 shows that a mistake happened in the 7th position and it should be
corrected by subtracting 2 (or adding 1) to the coordinate y7 .
Exercises
In the exercises below, all matrices and codes are ternary, i.e., over Z3 .
1. Suppose the matrix ⎡ ⎤
121211
H1 = ⎣ 1 2 1 0 2 1 ⎦
210102
is taken as a parity check matrix of a ternary error correcting code C1 . Will this
code correct all single errors?
2. Find the generator matrix for the code C2 with the following parity check matrix
⎡ ⎤
121211
H2 = ⎣ 1 2 1 0 2 2 ⎦ .
210101
3. Suppose that the code C2 was used. Decode the vector y = (0 2 2 2 2 2).
No changes at all should be made for polynomial codes and BCH codes. Among
non-binary BCH codes Reed–Solomon codes are of special practical importance.
They are also widely used to build other good codes, including good binary codes.
Proof We consider the trivial extension of fields F ⊆ F. Let mi (x) be the minimal
irreducible polynomial of α i over F. Then mi (x) = x − α i and we see that the RS
code is a BCH code. By Theorem 7.1.11 its guaranteed minimum distance is d. �
Example 7.2.3 Let F = Z2 [t]/(t 2 + t + 1). Then F = {0, 1, α, β}, where α = t and
β = t + 1. We note that β = α 2 , so α is a primitive element of F. The RS (2, 3)-code
over F with generator polynomial g(x) = x +α (which is the same as x −α) will have
minimum distance 2. It will have 42 = 16 codevectors. Let us encode the message
(α β). We have
(0 0 0) (α 1 0) (0 α 1) (α β 1)
(β α 0) (0 β α) (β 1 α) (1 1 1)
(1 β 0) (0 1 β) (1 α β) (α α α)
(β 0 1) (α β 1) (1 0 α) (β β β)
The Reed–Solomon codes are among the best known. To substantiate this claim
let us prove the following
Theorem 7.2.5 (The Singleton bound) Let C be a linear (m, n)-code. Then
dmin (C) ≤ n − m + 1.
Proof Let us consider the codeword E(e1 ) = g1 . It has only one nonzero information
symbol. It has n − m check symbols which may also be nonzero. In total, wt(g1 ) ≤
n − m + 1. But
dmin (C) = wtmin (C) ≤ wt(g1 ) ≤ n − m + 1.
Now we can show that any Reed–Solomon code achieves the Singleton bound.
Proof Let us consider the Reed–Solomon code C of length n with the generator
polynomial
g(x) = (x − α)(x − α 2 ) . . . (x − α d−1 ).
Let m be the number of information symbols. We know that dmin (C) ≥ d since d
is the guaranteed minimum distance of this code. Since the degree of the generator
polynomial is d − 1, this will be the number of check symbols of this polynomial
code, i.e., d − 1 = n − m. Hence dmin (C) ≥ d = n − m + 1. By the previous theorem
we obtain dmin (C) = n − m + 1 and C achieves the Singleton bound. �
As we mentioned, good binary codes can be obtained from RS codes. Let F be a
field of 2r elements, n = 2r −1. We know that F is an r-dimensional vector space over
Z2 and any element of F can be represented as a binary r-tuple. First we construct
an RS (m, n)-code over F and then, in each codeword we replace every element of
F with the corresponding binary tuple. We obtain an (rm, rn)-code which is binary.
Such codes are very good in correcting bursts of errors (several errors occurring in
close proximity) because such multiple errors affect not too many elements of F in
codewords of the RS-code and can be therefore corrected. Such codes are used in
CD-players because any microscopic defect on a disc results in a burst of errors.
We see that our choice of a code might be a result of the selected model for
mistakes: when they are random and independent we use one type of code, when
they are highly dependent (and come in bursts) we user another type of code.
Example 7.2.5 In Example 7.2.3, using the basis {1, α} for F, we may represent the
elements of F as follows:
Then we will obtain a binary (4, 6)-code with the following codevectors:
(0 0 0 0 0 0) (0 1 1 0 0 0) (0 0 0 1 1 0) (0 1 1 1 1 0)
(1 1 0 1 0 0) (0 0 1 1 0 1) (1 1 1 0 0 1) (1 0 1 0 1 0)
(1 0 1 1 0 1) (0 0 1 0 1 1) (1 0 0 1 1 1) (0 1 0 1 0 1)
(1 1 0 0 1 0) (0 1 1 1 1 0) (1 0 0 0 0 1) (1 1 1 1 1 1).
respectively.
204 7 Error-Correcting Codes
The rapid growth of the digital economy, facilitated by spread of broadband avail-
ability, and rapid increases in computing power and storage capacity, has created
a global market for content and rights holders of intellectual property. But it also
creates a threat, that without adequate means of protection, piracy will prevent this
market from functioning properly.
Managing intellectual property in electronic environments is not an easy task. On
the one hand owners of the content would like to sell it for profit to paying customers
but at the same time to protect it from any further illegal distribution. There are many
ways to do so. One avenue is opened with the recent development of fingerprinting2
codes that provide combinatorial and algebraic methods of tracing illegally ‘pirated’
data. The idea is that a codeword might be embedded in the content (software, music,
movie) in such a way that any illegally produced copies will reveal the distributor.
For example, such a situation emerges in the context of pay TV, where only
paying customers should be able to view certain programs. The broadcasted signal
is normally encrypted and the decryption keys are sent to the paying subscribers. If
an illegal decoder is found, the source of its decryption keys must be identified.
Fingerprinting techniques have been used for quite some time; fingerprints have
been embedded in digital video, documents and computer programs. However, only
recently has it become possible to give protection against colluding malicious users.
This is what fingerprinting codes are about. This section is largely based on the
groundbreaking paper of Boneh and Shaw [4] and also on the paper by Staddon
et al. [5].
There are numerous ways to embed a codeword identifying the user in the content
which is normally represented as a file. A copy of the file sold to the user can
therefore be characterised by a vector x = (x1 , x2 , . . . , xn ) ∈ Znq specific to this
particular copy. This is a fingerprint of this copy. Any subset C ⊂ Znq may be used
as the set of fingerprints and will be called a fingerprinting (watermarking) code.
A malicious coalition of users may try to create a pirate copy of the product
by trying to identify the embedded fingerprint and to change it. To achieve this,
they might compare their files—for example, using the diff command—and find
positions in which their files differ. These will certainly belong to the code so the
coalition may discover some but not all symbols of the fingerprint. They might change
the symbols in the identified positions with the goal of producing another legitimate
copy of the product that was sold to another user (or has not yet been sold). This way
they might ‘frame’ an innocent user.
The owner of the property rights for the content would like to design a scheme
that enables the identification of at least one member of the coalition that produced a
pirated copy. As a bottom line, the scheme should make it infeasible for a malicious
coalition to frame an innocent user by producing their fingerprint. Of course, we
have to make an assumption that the malicious coalition is not too large (and here
we have clear analogy with error-correcting codes that too are effective if there were
not too many mistakes during the transmission).
Let us now proceed to formal definitions.
Definition 7.3.1 Let X ⊆ Znq . For any coordinate i we define the projection
Pi (X) = {xi }.
x∈X
In other words Pi (X) is the set of all ith coordinates of the words from X.
Example 7.3.1 Let X = {x, y, z}, where
x = (0 1 2 3),
y = (0 0 2 2),
x = (0 1 3 1).
Then P1 (X) = {0}, P2 (X) = {0, 1}, P3 (X) = {2, 3}, P4 (X) = {1, 2, 3}.
Definition 7.3.2 We also define the envelope of X
Elements of the envelope are called descendants of X and elements from X are called
their parents. It is clear that X ⊆ desc(X).
Definition 7.3.3 For any positive integer w, we will also define a restricted envelope
descw (X), which consists of all descendants of subsets of X of cardinality w.
We illustrate the difference between desc(X) and descw (X) in the following
example.
206 7 Error-Correcting Codes
x = (1 0 0),
y = (0 1 0),
x = (0 0 1).
Example 7.3.3 Let C ⊂ Z44 be the fingerprinting code consisting of the vectors
u = (0 1 2 3),
v = (1 2 3 0),
w = (2 3 0 1),
x = (3 0 1 2),
y = (0 0 0 0),
z = (1 1 1 1).
Exercises
x1 = (1 1 1 0 0 0 2 2 2),
x2 = (1 1 2 2 0 0 1 1 2),
x3 = (1 2 2 0 2 0 1 2 0).
One goal that immediately comes to our mind is to secure that a coalition of malicious
users cannot frame an innocent user. Of course, such protection can be put in place
only against reasonably small malicious coalitions in a direct analogy with error-
correcting codes where the decoder is capable of correcting only a limited number
of mistakes.
Definition 7.3.4 A code C is called w-frameproof (w-FP code) if for every subset
X ⊂ C such that |X| ≤ w we have
desc(X) ∩ C = X.
Example 7.3.4 The code C consisting of the n elements of the standard basis of Znq
e1 = (1 0 0 . . . 0),
e2 = (0 1 0 . . . 0),
...
en = (0 0 0 . . . 1)
Example 7.3.5 The code in Example 7.3.3 is 3-frameproof. Indeed, the first four
users cannot be framed by any coalition to which they do not belong because each
of them contains 3 in the position where all other users have symbols different from
3. It is also easy to see that the two last users cannot be framed by any coalition of
three or fewer users.
The following function will be useful in our proofs. For any two words u, v of
length n we define I(u, v) = n − d(u, v). In other words, I(u, v) is the number of
coordinates where u and v agree.
As in the theory of error-correcting codes, the minimum distance dmin (C) between
any two distinct codewords is an important parameter.
have d(y, xi ) > n (1 − 1/w) and hence we obtain I(y, xi ) = n − d(y, xi ) < n −
(n − n/w) = n/w. This means that y and xi coincide in less than n/w positions and,
hence, fewer than n/w positions of y could come from xi . Since we have exactly w
elements in X, it follows now that fewer than w · n/w = n coordinates in y can come
from vectors of X. Hence at least one coordinate of y, say yj , does not coincide with
the jth coordinates of any of the vectors x1 , x2 , . . . , xw and therefore yj ∈
/ Pj (X).
This contradicts the assumption that y is a descendant of X. �
Exercises
The code C ⊂ {1, 2, 3}6 consists of six codewords:
Definition 7.3.5 We say that a code C has the identifiable parent property of order
w (w-IPP code) if for any x ∈ descw (C) the family of subsets
c1 = (1 1 1 1 1),
7.3 Fingerprinting Codes 209
c2 = (1 2 2 2 2),
c3 = (1 3 3 3 3),
c4 = (1 4 4 4 4),
c5 = (2 1 2 3 4),
sc6 = (2 2 1 4 3),
c7 = (2 3 1 4 2),
c8 = (2 4 3 2 1),
c9 = (3 1 4 2 3),
c10 = (3 2 3 1 4),
c11 = (3 3 2 4 1),
c12 = (3 4 1 3 2),
c13 = (3 4 1 3 2),
c14 = (4 2 4 3 1),
c15 = (4 4 2 1 3).
It is really hard to check that this code indeed is 2-IPP but relatively easy to check
that dmin (C) = 4. As we will see later Theorem 7.3.3 will imply 2-IPP for this code.
Codes with the identifiable parent property normally require a large alphabet. The
binary alphabet is the worst one.
Proposition 7.3.2 There does not exist a binary 2-IPP code C with |C| ≥ 3.
Definition 7.3.6 A code C is called w-traceable (w-TA code) if for any y ∈ descw (C)
the inclusion y ∈ desc(X), for some subset X ⊆ C with |X| = w, implies the existence
of at least one codeword x ∈ X such that d(y, x) < d(y, z) for any z ∈ C \ X.
If a code is a w-TA code, we can always trace at least one parent of y ∈ descw (C)
using a process similar to maximum likelihood decoding for error correcting codes.
Indeed, the following proposition is true.
210 7 Error-Correcting Codes
Proposition 7.3.3 Suppose that a code C is w-traceable, and y ∈ desc(X) for some
subset X ⊆ C with |X| = w. Let x1 , x2 , . . . , xk be the set of vectors from C such
that d = d(y, x1 ) = · · · = d(y, xk ) and no vector z ∈ C satisfies d(y, z) < d. Then
{x1 , x2 , . . . , xk } ⊆ X.
Proof Suppose xi ∈/ X for some i. Then by the traceability property there must be a
vector in x ∈ X such that d(y, x) < d(y, xi ) = d, which contradicts the minimality
of d. �
Let us now state one obvious fact.
Lemma 7.3.1 Let X = {x1 , x2 , . . . , xw } and y ∈ desc(X). Then there exists i ∈
{1, 2, . . . , w} such that I(xi , y) ≥ n/w.
Proof Suppose on the contrary that I(xi , y) < n/w for all i ∈ {1, 2, . . . , w}. Then
y inherited fewer than n/w coordinates from each xi . In total it inherited fewer than
n · n/w = n coordinates from vectors of X and cannot be a descendant of X. �
Theorem 7.3.2 Any w-TA code C is also a w-IPP code.
Proof Suppose that the code C is w-traceable. Let x ∈ descw (C). Let us consider a
family of subsets (7.10). Suppose y ∈ C is the closest or one of the closest vectors of
C to x, i.e., the distance d(x, y) is the smallest possible. Because C is w-traceable y
must belong to every subset of the family (7.10), hence its intersection is nonempty
and the w-IPP property holds. �
Theorem 7.3.3 Suppose that a code C of length n has a minimum distance
1
dmin (C) > n 1 − 2 .
w
Then C is a w-traceable code and hence has the identifiable parent property of
order w.
Proof Let X ⊆ C with |X| = w. Suppose X = {x1 , x2 , . . . , xw }. Let us consider any
z ∈ C \ X. Then, for any i, I(z, xi ) = n − d(z, xi ) < n − (n − n/w2 ) = n/w 2 , i.e.,
the number of coordinates where z and xi agree is less than n/w2 . We now define
I(z, X) = {j | zj ∈ Pj (X)}.
We obtain now n n
I(z, X) ≤ wI(z, xi ) < w · = . (7.11)
w2 w
On the other hand, by Lemma 7.3.1, for every y ∈ desc(X) we can find a xi such that
I(xi , y) ≥ n/w. Thus we obtain d(xi , y) ≤ n − n/w = n(1 − 1/w) while for any
z ∈ C \ X we will have I(z, y) ≤ I(z, X) < n/w and hence d(z, y) > n − n/w =
n(1 − 1/w), proving w-traceability. �
This theorem works only for a reasonably large alphabet.
7.3 Fingerprinting Codes 211
Exercises
1. Let the size of the alphabet be q. Then there does not exist a w-IPP code C with
|C| > w ≥ q.
2. Using the Reed–Solomon code C over Z17 of length 16 with minimum distance 13,
show that there exists a fingerprinting code with the identifiable parent property
of order 2 containing 83521 codewords.
References
1. Ross, K., Wright, K.: Discrete Mathematics. Prentice Hall, Upper Saddle River (1999)
2. Peterson, W.W., Weldon, E.J.: Error-Correcting Codes, 2nd edn. MIT Press, Cambridge (1972)
3. Macwilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. North-Holland,
Amsterdam (1977)
4. Boneh, D., Shaw, J.: Collusion-secure fingerprinting for digital data. IEEE Trans. Inf. Theory
44(5), 1897–1905 (1998)
5. Staddon, J.N., Stinson, D.R., Wei, R.: Combinatorial properties of frameproof and traceability
codes. IEEE Trans. Inf. Theory 47(3), 1042–1049 (2001)
Chapter 8
Compression
Let be a finite set and || be the number of elements in it. Suppose that we want
to give an individual label to each element of and each label must be a sequence
of zeros and ones. How long must our sequences be so that we have enough labels
for all elements of ? Since we have exactly 2n sequences of length n, this number
should be taken so that 2n ≥ ||. If we aim at sequences of the shortest possible
length, we should choose n so that
ωk → k → k(2) ,
Here and further in this section all logarithms will be taken to base 2.
Let x be the nearest integer which is greater than or equal to x. Then (8.1)
implies n ≥ log || > n − 1, hence, for an element ω ∈ , the integer I (ω) is
the minimal number of binary symbols necessary for individualising ω among other
elements of .
Let now
= 1 ∪ 2 ∪ · · · ∪ n (8.3)
be a partition of into n disjoint classes. Let π(ω) denote the class which contains ω.
Definition 8.1.2 The information of an element ω ∈ relative to the given partition
is defined as
I (ω) = log |π(ω)|. (8.4)
It can be interpreted as follows. In a partitioned set, when the information about the
partition is public knowledge, every element ω ∈ carries information only about
its class π(ω). In the extreme case, when there is only one class in the partition, i.e.,
the set itself, we get the same concept as in Definition 8.1.1.
Example 8.1.2 Let = Z42 be the four-dimensional vector space over Z2 . Let
= 0 ∪ 1 ∪ . . . ∪ n
1 In this chapter we will identify vectors from Zn2 and words of length n in the binary alphabet.
216 8 Compression
If d is small, then
� �
n n(n − 1) . . . (n − d + 1)
I (z) = log = log < log n d = d log n,
d d!
which can easily be obtained from Stirling’s formula 2.2. This implies
� � � �
n n 1 1
I (z) = log = log ∼ n − log n + (1 − log π) ∼ n,
d n/2 2 2
Thus
� n
� n
� n
�
|i | 1
2−(I (ω)+log n) = |i |2(− log |i |−log n) = = = 1.
|i |n n
ω∈ i=1 i=1 i=1
�
We shall see soon what equation (8.6) means.
Exercises
1. How many bits of information does one need to specify one letter of the English
alphabet?
2. In a magic trick, there are three participants: the magician, an assistant, and a
volunteer. The assistant, who claims to have paranormal abilities, is in a sound-
proof room. The magician gives the volunteer six blank cards, five white and one
blue. The volunteer writes a different integer from 1 to 100 on each card, as the
magician is watching. The volunteer keeps the blue card. The magician arranges
the five white cards in some order and passes them to the assistant. The assistant
then announces the number on the blue card. How does the trick work?
8.1 Prefix Codes 217
Let X be a finite set (alphabet) and X n be the set of all possible words of length n in
this alphabet. We stress that in X n we collect all words regardless of whether they
are meaningful or not. For example, if X is the English alphabet, then yyyx za is also
considered as a word belonging to X 6 . Let also W (X ) be the set of all words in this
alphabet, i.e.,
W (X ) = X 1 ∪ X 2 ∪ · · · ∪ X n ∪ . . .
ψ : X n → W (Z2 ). (8.7)
This means that every word w from X n is encoded into a binary codeword ψ(w).
Note that the length of w is strictly n while the length of ψ(w) can be arbitrary. The
code of a message M, which is a word from W (X ), will be obtained as follows. We
divide M into segments of length n and the tail which is of length at most n (but
by agreement it can also be viewed as of length n; for example, for English words
we may add as many letters ‘z’ at the end of the message as is needed). Then M is
represented as M = w1 w2 . . . ws . . ., where wi ∈ X n and we define
to be the encoding for M. What we should take care of is that the message (8.8) can
be uniquely decoded and that this decoding is as easy as possible. This is non-trivial
since the words ψ(w1 ), . . . ψ(ws ) . . . may have different lengths and we may not
know, for example, where ψ(w1 ) ends and where ψ(w2 ) starts. We will now introduce
a class of codes for which such decoding is possible.
Definition 8.1.4 A non-uniform code (8.7) is said to be a prefix code if for every two
words w1 , w2 ∈ X n neither of the two codewords ψ(w1 ), ψ(w2 ) is the beginning of
the other.
If our code is a prefix one, then we can decode (8.8) uniquely. Indeed, there will be
only one codeword which is the beginning of (8.8) and that will be ψ(w1 ). Similarly
we decode the rest of the message.
Example 8.1.4 Let X = {a, b, c} and ψ(a) = 1, ψ(b) = 01, ψ(c) = 00. This is a
prefix code and the message 0001101100 can be uniquely decoded as
Example 8.1.5 Every binary rooted tree gives us a prefix code. We assign a 1 to each
edge from a parent to its left child and a 0 to each edge from a parent to its right
child. Then the set of all terminal vertices can be identified with the set of codewords
of a prefix code. Indeed, for any terminal vertex, there is a unique directed path from
the root to it. This path gives a string of 0’s and 1’s which we assign to the terminal
vertex. Since we always finish at a terminal vertex, no path is a beginning of the other
and therefore no codeword will be a beginning of the other. For example, the tree
below will give us the code {0, 11, 101, 100}.
1 0
1 0 0
11 1 0
101 100
q
�
2−m i ≤ 1. (8.9)
i=1
Proof We will assume that m = max(m 1 , . . . , m q ), which means that the longest
codeword has length m. Suppose that a prefix code possesses a codeword u of length
i. Then the 21 = 2 words u0 and u1 cannot be codewords. The 22 = 4 words u00,
u01, u10 and u11 also cannot be codewords. In general all 2k−i words of length k
obtained by extending u to the right cannot be codewords. If v is another codeword
of length j then it excludes another 2k− j words of length k from being codewords.
The codewords u and v cannot exclude the same word, otherwise one of them will
be the beginning of the other.
Let us denote by S j the number of codewords of length j. Then, as we just noticed,
words of length k cannot be codewords. This number plus Sk , which is the number of
codewords of length k, should be less than or equal to 2k , which is the total number of
words of length k. The existence of a prefix code with the given lengths of codewords
implies that the following inequality holds for any k = 1, . . . m:
Thus, all these inequalities are necessary conditions for the existence of such a prefix
code. But the inequality for k = m is the strongest because it implies all the rest.
Indeed, (8.10) implies
i.e., the same inequality for k − 1. Thus, indeed, the inequality for k = m implies all
other inequalities.
Taking this strongest inequality (8.10) and dividing it by 2m we get
m
�
S j · 2− j ≤ 1. (8.11)
j=1
m
� q
�
S j · 2− j = 2−m i .
j=1 i=1
Hence the inequality (8.9) is a necessary condition for the existence of a prefix code
with lengths of codewords m 1 , m 2 , . . . , m q .
Let us show that it is also sufficient. Let S j be the number of codewords of length
j and m be the maximal length of codewords. We will again use (8.9) in its equivalent
form (8.11) which implies (8.10) for all k = 1, . . . , m.
Firstly, we take S1 arbitrary words of length 1. Since (8.10) for k = 1 gives
2 − S1 ≥ 0, we have S1 ≤ 2 and we can do this step. Suppose that we have done
k − 1 steps already and have chosen Si words of length i for i = 1, . . . , k−1 so that
no one word is the beginning of the other. Then the chosen words will prohibit us
from choosing
S1 · 2k−1 + S2 · 2k−2 + · · · + Sk−1 · 2
hence we can find Sk words of length k which are compatible with the words previ-
ously chosen. This argument shows that the construction of the code can be completed
to the end. �
220 8 Compression
1 1 1 1
+ 2 + 3 + 3 = 1. (8.12)
21 2 2 2
If X = {a, b, c, d}, then according to Theorem 8.1.1 there exists a prefix code
ψ : X → W (Z2 ) with the lengths of the codewords 1, 2, 3, 3. Let us choose the
codeword ψ(a) = 0 of length 1, then we cannot use the words 00 and 01 for the
choice of the codeword for b of length 2 and we choose ψ(b) = 10. For the choice
of codewords for c and d we cannot choose the words 000, 001, 010, 011 (because
of the choice of ψ(a)) and the words 100, 101 (because of the choice of ψ(b)), thus
we choose the two remaining words of length 3, i.e., ψ(c) = 110 and ψ(d) = 111.
Suppose now that X = {a, b}. Then |X 2 | = 4 and we can use (8.12) again for
this situation to define a code ψ : X 2 → W (Z2 ) as follows:
The words abba and baabab will be encoded as 010 and 1000, respectively. The
word 11111001000 can be represented as
11111001000 = ψ(bb)ψ(aa)ψ(ab)ψ(ba)ψ(ab)ψ(ab)
be a partition of a finite set into n disjoint classes. Then there exists a prefix
code ψ : → W (Z2 ) such that for any ω ∈ the length of the codeword ψ(ω)
is l(ω) = I (ω) + log n, where I (ω) is the information of ω relative to the given
partition.
The existence of the code is not everything. Another important issue is its fast
decodability.
Exercises
1. Check that the set {11, 10, 00, 011, 010} is a set of codewords of a prefix code
and construct the corresponding tree.
8.1 Prefix Codes 221
1 1 1 1 1 1 1
+ 3 + 3 + 4 + 4 + 4 + 4 = 1,
22 2 2 2 2 2 2
the existence of which prefix code can we imply from Kraft’s inequality?
3. Let X be an alphabet consisting of 9 elements. Construct a prefix binary code
ψ : X → W (Z2 ) with the lengths of the codewords: 2, 3, 3, 3, 3, 3, 4, 5, 5 in
following steps:
(a) Use Kraft’s inequality to prove that such a code exists.
(b) Construct any tree that corresponds to such a code.
(c) List the codewords corresponding to this tree.
8.2.1 Encoding
We need to compress files when we are short of memory and want to use it effectively.
Since computer files are already written as strings of binary digits, in this section we
will consider the code ψ : Zn2 → W (Z2 ) which encodes binary sequences of fixed
length n into binary sequences of variable length. The idea of Fittingof’s compression
is expressed in Example 8.1.3, where it was shown that the information of a vector
from Zn2 of small (or large) Hamming weight is relatively small compared to n.
Therefore if we encode words in such a way that the length of a codeword ψ(x)
will be approximately equal to the information of x, then words of small and large
Hamming weights will be significantly compressed. This, for example, often works
well with photographs.
In this section we will order all binary words of the same length using lexico-
graphic order. This order depends on an order on our binary symbols and we will
assume that zero precedes one (denoted 0 ≺ 1).
Definition 8.2.1 Let y = y1 y2 . . . yn and z = z 1 z 2 . . . z n be two binary words of the
same length. We say that y is lexicographically earlier than z, and write y ≺ z, if for
some k ≥ 0
For example, all 15 binary words of length 6 and weight 4 will be listed in lexi-
cographic order as shown:
We can refer to these words by just quoting their ordinal numbers. We adopt the
agreement that the first word has ordinal number zero. Thus an ordinal number x
is the number of words that are earlier than x. In particular, the ordinal number of
101011 is 6.
where the 1’s in x occupy the positions n 1 < n 2 < · · · < n d (counting from the left).
Proof Firstly, we count all the words of weight d whose n 1 −1 leftmost symbols
coincide with those of x, i.e., are all zeros, and the position n 1 is also occupied by
a zero (this condition secures that all such words are lexicographically earlier than
x). �Since�we have to distribute d ones between n−n 1 remaining positions, there will
be n−n d
1
such words. Secondly, we have to count all the words whose first n 2 −1
symbols
�n−n 2 � coincide with those of x and which have a zero in the position n 2 . There are
d−1 such words as we have to distribute d−1 ones between n−n 2 places. Finally,
we will have to count all words whose first n d −1 symbols�coincide � with those of
x and which have a zero in the position n d . There will be n−n 1
d
such words. All
the words that are lexicographically earlier than x are now counted. As the ordinal
number of x is equal to the number of words which lexicographically precede x, this
proves (8.14). �
The codeword ψ(x) for x ∈ X d (i.e., for a word x of weight d) will consist of two
parts: ψ(x) = μ(x)ν(x), where μ(x) is the prefix of fixed length log(n + 1), which
is the binary code for d, and ν(x) is the binary � �� of the ordinal number N (x) of x in
� code
the class X d consisting of log |X d | = log dn binary symbols. Both parameters
together characterise x uniquely. In total the length of the codeword ψ(x) = μ(x)ν(x)
will be � � ��
n
l(ψ(x)) = log(n + 1) + log .
d
o(n)
l(ψ(x)) = I (x) + o(n), → 0,
n
i.e., equal to its information relative to the given partition.
We now state the main theorem of this chapter.
Theorem 8.2.1 (Fitingof) There exists a prefix code ψ : Zn2 → W (Z2 ) for which the
length of the codeword ψ(x) is asymptotically equal to the information of the word
x and for which there exists a decoding procedure of polynomial complexity.
Proof We have shown already that the length of the codeword ψ(x) is asymptotically
equal to the information of the word x. Let us prove that Fitingof’s code is a prefix
one. Suppose ψ(x1 ) = μ(x1 )ν(x1 ) is a beginning of ψ(x2 ) = μ(x2 )ν(x2 ). We know
that the length of μ(x1 ) is the same as the length of μ(x2 ), hence μ(x1 ) = μ(x2 ) and
hence x1 and x2 has the same weight. But then the length of ν(x1 ) is the same as the
length of ν(x2 ) and hence ψ(x1 ) and ψ(x2 ) have the same length. However, in such
a case one cannot be a beginning of another without being equal.
The proof will be continued in the next section devoted to the decoding algorithm.
�
we will have μ(x) = 00100 because wt(x) = 4 = 100(2) and the prefix must be of
length 5 to accommodate � all
� possible weights in the range from 0 to 31. The length of
the suffix ν(x) will be 31
4 = 15. Further, we will have n 1 = 8, n 2 = 14, n 3 = 16,
n 4 = 20 and
� � � � � � � �
11 15 17 23
N (x) = + + + = 9651 = 10010110110011(2) ,
1 2 3 4
224 8 Compression
Exercises
1. Put the following three words of Z72 in the increasing lexicographic order:
2. How many vectors of Hamming weight at least 4 and at most 5 are there in Z10
2 ?
3. Calculate the ordinal number of the word w = 0011011 in X 4 ⊂ Z72 .
4. Let ψ : Z15
2 → W (Z2 ) be Fitingof’s code.
(a) How long is the prefix which shows the Hamming weight of the word?
(b) Given x = 000010100000100, how long must be the suffix of the codeword
ψ(x)?
(c) Encode x, i.e., find ψ(x).
To decode a message we have to decode the codewords one by one starting from the
first. Suppose the first codeword is ψ(x). First, we separate its prefix μ(x) (because it
is of fixed known length log(n + 1)) and� reconstruct
� �� d = wt(x). Then, knowing d,
we calculate the length of ν(x), which is log dn . Then looking at ν(x) and knowing
that it represents the ordinal number N (x) of x in X d , we reconstruct N = N (x).
Then we are left with the equation
� � � � � �
xd x2 x1
+ ··· + + =N (8.15)
1 d−1 d
to solve for xd < · · · < x2 < x1 , where xi = n − n i . This can be done in a fast and
elegant way using the properties of Pascal’s triangle, part of which is shown below:
1
1 1
1 2 1
1 3 3 1
1 4 6 4 1
1 5 10 10 5 1
� �
The nth row of this triangle contains the binomial coefficients mn , m = 0, 1, . . . n,
where m increases from left to right. These binomial coefficients are defined induc-
tively by the formula
� � � � � �
n n−1 n−1
= + (8.16)
j j j−1
8.2 Fitingof’s Compression Code 225
�0� �0�
and the boundary conditions: 0 = 1, and m = 0 for all 0 = m ∈ Z. We also know
the explicit formula � �
n n!
= ,
m m!(n−m)!
which is true. Let us assume that (8.17) is true for d = k − 1. Then by the induction
hypothesis, applied to the first k − 1 summands of the left-hand side of (8.17), and
using (8.16), we get
� � � � � � � �
n−k n−k+1 n−1 n
+ + ··· + + =
0 1 k−1 k
�� � � � � �� � �
(n−1)−(k−1) (n−1)−(k−1)+1 n−1 n
+ + ··· + + =
0 1 k−1 k
� � � � � �
n n n+1
+ = ,
k−1 k k
Proposition 8.2.1 Suppose the Eq. (8.15) is satisfied for some x1 , . . . , xd such that
xd < xd−1 < · · · < x1 . Then x1 can be found as the largest integer satisfying the
inequality
� �
x1
≤ N. (8.18)
d
�m �
Proof Suppose that x1 < m, where m is the largest integer satisfying d ≤ N.
Then, since xd < xd−1 < · · · < x1 , by (8.17)
� � � � � �
xd x2 x1
+ ··· + + ≤
1 d−1 d
226 8 Compression
� � � � � � � � � �
x1 −d+1 x1 −1 x1 x1 +1 m
+ ··· + + = −1< ≤ N,
1 d−1 d d d
Exercise
1. Let ψ : Z15
2 → W (Z2 ) be Fitingof’s compression code. Decode ψ(y) =
00100011110, i.e., find y.
(logarithms are to the base 2 and it is assumed that 0 · log 0 = 0). The uncertainty
is minimal when p = 0 or p = 1, in which case we essentially don’t have any
uncertainty and the entropy of such source is zero. If p = 1/2, then the uncertainty
is maximal and the entropy of such source is equal to 1. We say that one symbol sent
from such a random source contains H ( p) bits of information. Thus we have 1 bit
of information from a symbol from a random source only in the case of probability
1/2. A word of length n contains n H ( p) bits of information.
Given a binary word x of length n consisting of m 1 ones and m 2 zeros we define
m1 m1 m2 m2
H (x) = − log − log .
n n n n
Of course, if this word was generated from a random source with probability p, then
m 1 /n → p, when n gets large, and H (x) → H ( p). The following theorem then
shows that the two approaches are equivalent.
Therefore
I (x) 1 n m1 m1 m2 m2
= log − log − log = o(1) + H (x),
n 2n 2πm 1 m 2 n n n n
References
1. Kolmogorov, A.N.: Three approaches to the definition of the concept “the quantity of informa-
tion”. Probl. Inf. Transm. 1(1), 3–11 (1965)
2. Fitingof, B.M.: Optimal encoding under an unknown or changing statistics. Probl. Inf. Transm.
2(2), 3–11 (1966)
Chapter 9
Appendix A: GAP
GAP is a system for computational algebra. GAP has been and is developed by the
international cooperation of many people, including user contributions. This package
is free and you can install it onto your computer using the instructions from the
website www.gap-system.org. A reference manual and tutorial can be found
there. There is plenty of information about GAP available online too.
Once you have started GAP, you can start working straight away. If you type a simple
command (for example, ‘quit’) followed by a semi-colon, GAP will evaluate your
command immediately. If you press enter without entering a semi-colon, GAP will
simply give you a new line to continue entering more input. This is useful if you want
to write a more complicated command, perhaps a simple program. If you wanted your
simple command to be evaluated, then simply enter a semi-colon on the new line
and press enter again. A double semi-colon executes the command but suppresses
the output. Since GAP ignores whitespace, this will work just the same as if you
had entered the semi-colon in the first place. A semi-colon will not always cause
GAP to evaluate straight away, GAP is able to work out whether you have finished
a complete set of instructions or are part of the way through entering a program.
Another way to interact with GAP, which is particularly useful for things you
want to do more than once, is to prepare a collection of commands and programs in a
text file. Then you can type the command Read (“MyGAPprog.txt”); and GAP will
evaluate all of the instructions in your text file. If your file is not in the same place
that GAP was launched from, you will have to provide its relative path (for example,
“../../GAPprogs/Example1.txt”).
© Springer International Publishing Switzerland 2015 229
A. Slinko, Algebra for Applications, Springer Undergraduate Mathematics Series,
DOI 10.1007/978-3-319-21951-6_9
230 9 Appendix A: GAP
You can declare a variable in GAP using the ‘:=’ operator. For example, if you
want a variable n to equal 2000, you would enter n := 2000;, or if you want n
to be the product of p and q you would enter n := p ∗ q;. You can also declare
lists using the ‘:=’ operator, for example, zeros := [0,0,0];. The command
list:=[m..n]; defines the list of integers m, m + 1, m + 2, . . . , n. A list may
have several identical numbers in it. Lists have a length given by the command
Length(listName);, and their entries can be referenced individually by typing
listName[index]; (indices start from 1!). In GAP a list of primes ≤ 1000 is
stored. It is called ‘Primes’. This is very useful.
gap> Primes;
[ 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73,
79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167,
173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347,349, 353, 359, 367,
373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463,
467, 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587,
593, 599, 601, 607, 613, 617, 619, 631, 641,643, 647, 653, 659, 661, 673, 677, 683,
691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811,
821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929,
937, 941, 947, 953, 967, 971, 977, 983, 991, 997 ]
The command
gap> Length(Primes);
168
gives us the number of primes in this list. We can find the prime in 100th position
and the position of 953 in this list as follows:
gap> Primes[100];
541
gap> Position(Primes,953);
162
Sets cannot contain multiple occurrences of elements and the order of elements
does not matter. Basically GAP views sets as ordered lists without repetitions. The
command Set(list); converts a list into a set.
gap> list:=[2,5,8,3,5];
[ 2, 5, 8, 3, 5 ]
gap> Add(list,2);
gap> list;
[ 2, 5, 8, 3, 5, 2 ]
gap> set:=Set(list);
[ 2, 3, 5, 8 ]
gap> RemoveSet(set,2);
gap> set;
[ 3, 5, 8 ]
For loops and while loops exist in GAP. Both have the same format:
for (while) [condition] do [statements] od;
9.1 Computing with GAP 231
For example, the following for loop squares all of the entries in the list ‘boringList’,
and places them in the same position in the list ‘squaredList’:
gap> boringList:=[2..13];
[ 2 .. 13 ]
gap> squaredList:=[1..Length(boringList)];
[ 1 .. 12 ]
gap> for i in [1..Length(boringList)] do
> squaredList[i]:=boringList[i]ˆ2;
> od;
gap> squaredList;
[ 4, 9, 16, 25, 36, 49, 64, 81, 100, 121, 144, 169 ]
Here is an example of using a while loop. We want to square the first five numbers
of the boringList.
gap> boringList:=[2..13];;
gap> i:=1;;
gap> while i<6 do
> boringList[i]:=boringList[i]ˆ2;
> i:=i+1;
> od;
gap> boringList;
[ 4, 9, 16, 25, 36, 7, 8, 9, 10, 11, 12, 13 ]
Lists may contain other lists. Analyse the following program that lists all pairs of
twin primes not exceeding 1000. It also illustrates the use of the ‘if-then’ command.
if [condition] then [statements] fi;
Here it is:
gap> twinpairs:=[];
[ ]
gap> numbers:=[1..Length(Primes)-1];
[ 1 .. 167 ]
gap> for i in numbers do
> if Primes[i]=Primes[i+1]-2 then
> Add(twinpairs,[Primes[i],Primes[i+1]]);
> fi;
> od;
gap> twinpairs;
[ [ 3, 5 ], [ 5, 7 ], [ 11, 13 ], [ 17, 19 ], [ 29, 31 ], [ 41, 43 ],
[ 59, 61 ], [ 71, 73 ], [ 101, 103 ], [ 107, 109 ], [ 137, 139 ],
[ 149, 151 ], [ 179, 181 ], [ 191, 193 ], [ 197, 199 ], [ 227, 229 ],
[ 239, 241 ], [ 269, 271 ], [ 281, 283 ], [ 311, 313 ], [ 347, 349 ],
[ 419, 421 ], [ 431, 433 ], [ 461, 463 ], [ 521, 523 ], [ 569, 571 ],
[ 599, 601 ], [ 617, 619 ], [ 641, 643 ], [ 659, 661 ], [ 809, 811 ],
[ 821, 823 ], [ 827, 829 ], [ 857, 859 ], [ 881, 883 ] ]
The list of primes ‘Primes’ contains only the 168 primes that are smaller than 1000.
Using the commands that we have just introduced we can, for example, create a list
of the first 5000 primes:
gap> biggerPrimes := [];
[ ]
gap> counter := 1;
1
gap> currentPrime := 2;
2
gap> while counter < 5000 do;
> biggerPrimes[counter] := currentPrime;
> counter := counter + 1;
> currentPrime := NextPrimeInt(currentPrime);
> od;
The remainder and quotient of n divided by m are given by the commands RemInt
(n,m); and QuoInt(n,m);, respectively. For example,
gap> RemInt(9786354,383);
321
gap> QuoInt(9786354,383);
25551
To find m, n such that ma + nb = gcd(a, b), use the GAP command Gcdex(a,b);.
For example,
Gcdex(108,801);
returns
rec( gcd := 9, coeff1 := -37, coeff2 := 5, coeff3 := 89, coeff4 := -12 )
where m =coeff1, n =coeff2 (m 1 =coeff3 and n 1 =coeff4 will also work). Another
example,
gap> Gcdex(123456789,987654321);
rec( gcd := 9, coeff1 := -8, coeff2 := 1, coeff3 := 109739369,
coeff4 := -13717421 )
To find the least common multiple of m and n, use the GAP command LcmInt(m,
n);. For example,
gap> LcmInt(123456789,987654321);
13548070123626141
The Euler totient function φ(n) is given by the command Phi(n);. For example,
gap> Phi(2ˆ15-1); Phi(2ˆ17-1);
27000
131070
The Chinese remainder theorem states the existence of the minimal solution N ≥ 0
of N = a1 mod n 1 , N = a2 mod n 2 , . . . , N = ak mod n k . The command for finding
this solution is ChineseRem([n1 , n2 , ..., nk ], [a1 , a2 , ..., ak ]);. For example:
gap> ChineseRem([5,7],[1,2]);
16
GAP does not provide automatic conversion between bases. One way of doing base
conversion is to use the p-adic numbers package, feel free to investigate this on
your own. Another way is to write simple programs. For example, 120789 can be
converted to binary as follows:
gap> n := 120789;
120789
gap> base := 2;
2 gap> rems := [];
[ ]
gap> pos := 1;
1
gap> while n > 0 do;
> rems[pos] := RemInt(n,base);
> n := QuoInt(n,base);
> pos := pos + 1;
> od;
gap> n;
0
gap> rems;
[ 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1 ]
234 9 Appendix A: GAP
That is, 120789 is 11101011111010101 in binary. If you are not sure why the list
rems are read in the reverse order, you need to study the base conversion algorithm
in Chap. 1. As for converting from another base into decimal, you should now be
able to do it yourself. Write a simple program to convert 100011100001111100000
from binary to decimal.
The commands RootInt(n,k); and LogInt(n,b); can be used to determine,
respectively, the integer part √
of the kth (positive real) root of n and the logarithm
of n to the base b, that is, k n and logb (n). These should be used instead of
computing roots and logarithms as GAP does not support real numbers.
Despite not supporting real numbers GAP can display a complicated fraction as
a floating-point real number e.g.,
gap> Float(254638754321/387498765398);
0.657134
will be a mistake. The latter may take centuries (guess why). The command
QuotientMod(r,s,m) returns the quotient r s −1 of the elements r and s mod-
ulo m. In particular, using the command QuotientMod(r,s,m) is preferable to
using s −1 mod m. For example,
gap> QuotientMod(1,123456789,987654321123456823);
743084182864240163
gap> 123456789ˆ-1 mod 987654321123456823;
743084182864240163
In the crypto section we needed to convert messages into numbers. Two small pro-
grams LettertoNumber and NumbertoLetter do the trick.1 They are not part
of GAP so you have to execute them before converting.
LtoN (an acronym for “Letter to Number”) takes any capital letter, which must
be put between apostrophes, e.g., ‘A’, and returns the corresponding number in the
range [0..25]. Any other argument would return −1, and print out an error message.
LtoN:=function(itamar)
local amith;
if itamar < ’A’ or ’Z’ < itamar then
Print("Out of range\n");
return -1;
else
amith:=INT_CHAR(itamar)-65;
return amith;
fi;
end;;
NtoL (an acronym of “Number to Letter”) takes any number, positive or negative,
and finds the corresponding letter. The argument must be an integer.
NtoL:=function(itamar)
local amith;
amith:=CHAR_INT(itamar mod 26+65);
return amith;
end;;
"ABRACADABRA"
gap> numbers:=[1..Length(letters)];
[ 1 .. 11 ]
gap> for i in [1..Length(letters)] do
> numbers[i]:=LtoN(letters[i]);
> od;
gap> numbers;
[ 0, 1, 17, 0, 2, 0, 3, 0, 1, 17, 0 ]
gap> letters2:="ZZZZZZZZZZZ";
"ZZZZZZZZZZZ"
gap> for i in [1..Length(numbers)] do
> letters2[i]:=NtoL(numbers[i]);
> od;
gap> letters2;
"ABRACADABRA"
NtoL1 takes any two-digit number, positive or negative, and finds the corre-
sponding letter. The argument must be an integer.
NtoL1:=function(itamar)
local amith;
amith:=CHAR_INT(itamar-11 mod 26+65);
return amith;
end;;
The following program CNtoL1 written by Joel Laity is very convenient for
decryption of messages in RSA. It converts a number with any number of digits into
a message. For example,
gap> n:=1112131415161718192021222324252627282930313233343536;
1112131415161718192021222324252627282930313233343536
gap> CNtoL1(n);
"A B C D E F G H I J K L M N O P Q R S T U V W X Y Z"
CNtoL1:=function(joel)
local n, string, temp, i;
9.2 Number Theory 237
if IsInt(joel) then
string:=[];
while joel > 0 do
n:=joel mod 100;
joel:= (joel-n)/100;
Add(string,NtoL1(n));
Add(string,’ ’);
od;
#reverses the order of the list
for i in [1..QuoInt(Length(string),2)] do
temp:=string[i];
string[i]:=string[Length(string)+1-i];
string[Length(string)+1-i]:=temp;
od;
#removes extra space
string:=string{[2..Length(string)]};
return string;
else Print("Input must be an integer!");
fi;
end;;
will be presented as
gap> A:=[[1, 2, 3],[4, 5, 6],[7, 8, 9]];
[ [ 1, 2, 3 ], [ 4, 5, 6 ], [ 7, 8, 9 ] ]
gap> IsMatrix(A);
true
One has to note that if we multiply the matrix A by a row vector u (which would not
be normally defined) it will actually calculate Au T , e.g.,
gap> A*u;
[ 6, 15, 24 ]
Matrices with entries in Z26 can be added, multiplied and inverted adding mod 26 at
the end of the line, e.g.,
gap> C:=[[1,1,1],[0,3,1],[0,0,5]];
[ [ 1, 1, 1 ], [ 0, 3, 1 ], [ 0, 0, 5 ] ]
gap> Cˆ-1 mod 26;
[ [ 1, 17, 12 ], [ 0, 9, 19 ], [ 0, 0, 21 ] ]
9.4 Algebra
9.4.1 Permutations
will be represented as (1, 2)(3, 4). The identity permutation is represented as ( ). For
example:
gap> pi:=(1,2)(3,4);
(1,2)(3,4)
gap> piˆ2;
()
A permutations can also be defined by its last row using the command PermList.
For example, the permutation π can be defined as
gap> pi:=PermList([2,1,4,3]);
(1,2)(3,4)
Given a permutation written as a product of disjoint cycles, we may recover its last
row using the command ListPerm:
9.4 Algebra 239
gap> tau:=(1,3,4)(2,5,6,7);
(1,3,4)(2,5,6,7)
gap> ListPerm(tau);
[ 3, 5, 4, 1, 6, 7, 2 ]
For working in elliptic curves, first of all we have to read the two files elliptic.gd and
elliptic.gi, given at the end of this section:
gap> Read("elliptic.gd");
gap> Read("elliptic.gi");
If we try to input parameters for which the discriminant of the cubic d = −(4a 3 +
27b2 ) is zero it will return an error. If the discriminant is nonzero, it will generate
the group G. To list it we may use the command AsList(G);
gap> G:=EllipticCurveGroup(3,2,5);
EllipticCurveGroup(3,2,5)
gap> AsList(G);
[ ( 1, 1 ), ( 1, 4 ), ( 2, 1 ), ( 2, 4 ), infinity ]
You can determine orders of all elements of the group simultaneously using the
command
gap> List(ptsList,Order);
[ 50, 50, 2, 25, 25, 25, 25, 25, 25, 50, 50, 50, 50, 50, 50, 10, 10, 50, 50,
50, 50, 50, 50, 10, 10, 50, 50, 50, 50, 50, 50, 5, 5, 50, 50, 25, 25, 2,
50, 50, 50, 50, 50, 50, 25, 25, 50, 50, 50, 50, 25, 25, 5, 5, 2, 50, 50,
25, 25, 50, 50, 50, 50, 25, 25, 50, 50, 50, 50, 10, 10, 50, 50, 50, 50, 25,
25, 10, 10, 50, 50, 50, 50, 50, 50, 10, 10, 50, 50, 25, 25, 10, 10, 50, 50,
50, 50, 50, 50, 1 ]
The group of an elliptic curve for a 10-digit prime is already too big for GAP; it will
not be able to keep the whole group in the memory. For example, the two commands
gap> p:=123456791;;
gap> G:=EllipticCurveGroup(123,17,p);
will return an error. If one wants to calculate in larger groups, special techniques
must be applied.
We can find out if the group is cyclic or not.
gap> n:=NextPrimeInt(12345);
12347
gap> G:=EllipticCurveGroup(123,17,n);
EllipticCurveGroup(123,17,12347)
gap> Size(G);
12371
gap> Random(G);
( 11802, 5830 )
gap> P:=Random(G);
gap> Order(P);
12371
gap> IsCyclic(G);
true
9.4 Algebra 241
There is no known polynomial time algorithm which finds a point on the given curve,
although the following randomised algorithm gives us a point with probability close
to 1/2. This algorithm chooses x at random and tries to find a matching y such that
(x, y) is on the curve. For example,
gap> p:=NextPrimeInt(99921);
99923
gap> G:=EllipticCurveGroup(123,17,p);
EllipticCurveGroup(123,17,99923)
gap> Size(G);
100260
gap> IsCyclic(G);
true
gap> x:=12345;
12345
gap> fx:=(xˆ3+123*x+17) mod p;
51321
gap> y:=RootMod(fx,p);
fail
gap> x:=1521;
gap> fx:=(xˆ3+123*x+17) mod p;
42493
gap>
y:=RootMod(fx,p);
72372
We must generate the curve but we also have to explain to GAP that M is the point
of the curve we have defined. For this we present GAP with an already known point
of the target curve (for example, we can generate a point P on this curve at random)
and say that we will input a point of the same curve. We see how this can be done in
the example below:
gap> G:=EllipticCurveGroup(0,12345,95701);;
gap> P:=Random(G);
(91478, 65942 )
gap> M:=EllipticCurvePoint(FamilyObj(P),[2425,89535]);
( 2425, 89535 )
Finally, below are the files that have to be read before any calculations with elliptic
curves are possible.
#############################################################################
##
#W elliptic.gd Stefan Kohl
##
## This file contains declarations of functions etc. for computing with
## elliptic curve
##
DeclareCategoryCollections( "IsPointOnEllipticCurve" );
242 9 Appendix A: GAP
DeclareGlobalFunction( "EllipticCurvePoint" );
DeclareGlobalFunction( "EllipticCurveGroup" );
#############################################################################
##
#E elliptic.gd . . . . . . . . . . . . . . . . . . . . . . . . . ends here
##
#############################################################################
##
#W elliptic.gi Stefan Kohl
##
## This file contains implementations of methods and functions for
## computing in the elliptic curve point groups E( a , b )/p
## (only in affine Weierstrass form) ##
InstallGlobalFunction( EllipticCurvePoint,
function ( Fam, P )
local X, Y;
X := P[ 1 ]; Y := P[ 2 ];
if X <> infinity
and (Yˆ2) mod Fam!.p <> (Xˆ3 + Fam!.a*X + Fam!.b) mod Fam!.p
then Error( "The given point must be on the specified curve" ); fi;
if X = infinity
then Y := infinity;
else X := X mod Fam!.p; Y := Y mod Fam!.p;
fi;
InstallGlobalFunction( EllipticCurveGroup,
function ( a, b, p )
local F, G, X, Y, FamName, ready, Point;
F!.a := a;
F!.b := b;
F!.p := p;
X := 0; ready := false;
9.4 Algebra 243
repeat
if Legendre( Xˆ3 + a*X + b, p ) = 1
then Y := RootMod( Xˆ3 + a*X + b, p );
Point := EllipticCurvePoint( F, [ X, Y ] );
if not IsBound( G )
then G := GroupByGenerators( [ Point ] );
else G := ClosureGroup( G, Point );
fi;
if p > 31 and Size( G ) > p - 2 * RootInt( p )
then ready := true; fi;
fi;
X := X + 1;
until X = p or ready;
SetIsWholeFamily( G, true );
SetName( G, Concatenation( "EllipticCurveGroup(", String( a ),
",", String( b ), ",", String( p ), ")" ) );
return G;
end );
InstallMethod( PrintObj,
"for element in E(a,b)/p, (AffineWeierstrassRep)",
true, [ IsPointOnEllipticCurve and IsAffineWeierstrassRep ], 0,
function( p )
Print( "EllipticCurvePoint( ", FamilyObj( p ),
", [ ",p!.x,", ", p!.y, " ] )" );
end );
InstallMethod( ViewObj,
"for element in E(a,b)/p, AffineWeierstrassRep",
true, [ IsPointOnEllipticCurve and IsAffineWeierstrassRep ], 0,
function( p )
if p!.x <> infinity
then Print( "( ",p!.x,", ", p!.y, " )" );
else Print( "infinity" );
fi; end );
InstallMethod( \=,
"for two elements in E(a,b)/p, AffineWeierstrassRep",
IsIdenticalObj,
[ IsPointOnEllipticCurve and IsAffineWeierstrassRep,
IsPointOnEllipticCurve and IsAffineWeierstrassRep ],
0,
function( x, y )
return x!.x = y!.x and x!.y = y!.y;
end );
InstallMethod( \<,
"for two elements in E(a,b)/p, AffineWeierstrassRep",
IsIdenticalObj,
[ IsPointOnEllipticCurve and IsAffineWeierstrassRep,
IsPointOnEllipticCurve and IsAffineWeierstrassRep ],
0,
function( x, y )
return [x!.x, x!.y] < [y!.x, y!.y];
end );
InstallMethod( \*,
"for two elements in E(a,b)/p, AffineWeierstrassRep",
IsIdenticalObj,
244 9 Appendix A: GAP
function( p1, p2 )
local lambda, p3, p, h;
p := FamilyObj( p1 )!.p;
if (p1!.x <> infinity) and (p2!.x <> infinity)
then
if p1!.x = p2!.x and p1!.y = (- p2!.y) mod FamilyObj( p2 )!.p
then p3 := rec( x := infinity, y := infinity );
else
if p1!.x <> p2!.x
then h := QuotientMod( 1, p1!.x - p2!.x, FamilyObj( p1 )!.p );
if h = fail then return Gcd( p1!.x - p2!.x, p ); fi;
lambda := (p1!.y - p2!.y) * h;
else h := QuotientMod( 1, 2 * p1!.y, FamilyObj( p1 )!.p );
if h = fail then return Gcd( 2 * p1!.y, p ); fi;
lambda := (3 * p1!.xˆ2 + FamilyObj( p1 )!.a) * h;
fi;
p3 := rec();
p3.x := lambdaˆ2 - p1!.x - p2!.x;
p3.y := - (lambda * (p3.x - p1!.x) + p1!.y);
fi;
else
if p1!.x = infinity then p3 := rec( x := p2!.x, y := p2!.y );
else p3 := rec( x := p1!.x, y := p1!.y ); fi;
fi;
return EllipticCurvePoint( FamilyObj( p1 ), [ p3.x, p3.y ] );
end );
InstallMethod( OneOp,
"for an element in E(a,b)/p, AffineWeierstrassRep",
true,
[ IsPointOnEllipticCurve ], 0,
x -> EllipticCurvePoint( FamilyObj( x ),
[ infinity, infinity ] )
);
InstallMethod( InverseOp,
"for an element in E(a,b)/p, AffineWeierstrassRep",
true,
[ IsPointOnEllipticCurve and IsAffineWeierstrassRep ], 0,
function ( p )
if p!.x = infinity
then return EllipticCurvePoint( FamilyObj( p ), [ infinity, infinity ] );
else return EllipticCurvePoint( FamilyObj( p ),
[ p!.x, (- p!.y) mod FamilyObj( p )!.p ] );
fi;
end );
InstallMethod( Random,
"for group E(a,b)/p",
true,
[ CategoryCollections( IsPointOnEllipticCurve )
and IsWholeFamily ], 0,
function ( G )
local X, Y, a, b, p;
repeat
X := Random( [0 .. p - 1] );
until Legendre( Xˆ3 + a*X + b, p ) = 1;
Y := RootMod( Xˆ3 + a*X + b, p );
return EllipticCurvePoint( ElementsFamily( FamilyObj( G ) ), [ X, Y ] );
end );
#############################################################################
##
#E elliptic.gi . . . . . . . . . . . . . . . . . . . . . . . . . ends here
##
GAP knows about all the finite fields. To create the finite field Z p , type GF(p); For
example,
gap> F:=GF(5);;
gap> List:=Elements(F);
[ 0*Z(5), Z(5)ˆ0, Z(5), Z(5)ˆ2, Z(5)ˆ3 ]
The first element is 0 (GAP makes it clear that this is the zero of Z5 and not, say,
of Z3 ). The remaining elements are powers of a primitive element of Z5 , and, in
particular, the second element is 1. Type Int(Z(5)); to determine the value of
Z (5) (as an integer mod 5).
gap> Int(Z(5));
2
gap> value:=[0,0,0,0,0];;
gap> for i in [1..5] do
> value[i]:=Int(List[i]);
> od;
gap> value;
[ 0, 1, 2, 4, 3 ]
Since F ∗ is a cyclic group, GAP uses a generator of this cyclic group, denoted Z ( pk ),
to list all elements (except zero) as its powers.
gap> GF4:=GF(4);
GF(2ˆ2)
gap> gf4:=Elements(GF4);
[ 0*Z(2), Z(2)ˆ0, Z(2ˆ2), Z(2ˆ2)ˆ2 ]
gap> # Note that GAP lists elements of Z_2 first.
gap> GF8:=GF(8);
GF(2ˆ3)
gap> gf8:=Elements(GF8);
[ 0*Z(2), Z(2)ˆ0, Z(2ˆ3), Z(2ˆ3)ˆ2, Z(2ˆ3)ˆ3, Z(2ˆ3)ˆ4, Z(2ˆ3)ˆ5, Z(2ˆ3)ˆ6 ]
Note that G F(8) contains G F(2) but not G F(4). It is a general fact that G F( pm )
contains G F( p k ) as a subfield if and only if k|m.
gap> GF9:=GF(9);
GF(3ˆ2)
gap> gf9:=Elements(GF9);
[ 0*Z(3), Z(3)ˆ0, Z(3), Z(3ˆ2), Z(3ˆ2)ˆ2, Z(3ˆ2)ˆ3, Z(3ˆ2)ˆ5, Z(3ˆ2)ˆ6,
Z(3ˆ2)ˆ7 ]
Note that GAP lists elements of Z 3 first. Next, let’s try adding, subtracting, and
multiplying field elements in GAP. For example in G F(9) :
[ 0*Z(3), Z(3)ˆ0, Z(3), Z(3ˆ2), Z(3ˆ2)ˆ2, Z(3ˆ2)ˆ3, Z(3ˆ2)ˆ5, Z(3ˆ2)ˆ6, Z(3ˆ2)ˆ7 ]
gap> gf9[5]+gf9[6]; gf9[5]-gf9[7];
Z(3)
Z(3ˆ2)ˆ3
gap> gf9[5]ˆ2;
Z(3)
9.4.4 Polynomials
It is not too hard to explain to GAP that we now want x to be a polynomial. We can
define the polynomial ring F[x] first. For example, we define the polynomial ring in
one variable x over Z2 as follows:
gap> R:=PolynomialRing(GF2,["x"]);
PolynomialRing(..., [ x ])
gap> x:=IndeterminatesOfPolynomialRing(R)[1];
x
9.4 Algebra 247
Now GAP will understand the following commands in which we define a polynomial
1+x+x 3 ∈ Z2 [x] and substitute the primitive element of G F(8) in it. All calculations
will therefore be conducted in the field G F(8):
gap> p:=Z(2)+x+xˆ3;
xˆ3+x+Z(2)ˆ0
gap> Value(p,Z(2ˆ3));
0*Z(2)
This tells us that the generator Z(23 ) of G F(8) is a root of the polynomial p(x) =
x 3 + x + 1 over Z2 .
We can factorise polynomials as follows:
gap> Factors(xˆ16+x+1);
[ xˆ8+xˆ6+xˆ5+xˆ3+Z(2)ˆ0, xˆ8+xˆ6+xˆ5+xˆ4+xˆ3+x+Z(2)ˆ0 ]
When you type x, GAP understands what you want to say but still gives the answer
in terms of x1 . Another useful command:
gap> QuotientRemainder( (x+1)*(x+2)+5, x+1 );
[ x_1+2, 5 ]
m(t) = t 6 + t 4 + t 3 + t + 1
m 1 (t) = t 2 + αt + α
Ax = x1 a1 + x2 a2 + · · · + xn an and Bx = x1 b1 + x2 b2 + · · · + xn bn .
Since elementary row operations do not change the solution set of systems of linear
equations, we know that
Ax = 0 if and only if Bx = 0.
r1 , r2 , . . . , r5 as follows:
⎡ ⎤ ⎡ ⎤
1 −1 0 1 −4 1010 2
⎢ 0 2 2 2 0 ⎥ rref ⎢ 0 1 1 0 3 ⎥
A=⎢ ⎥ ⎢ ⎥
⎣ 2 1 3 1 4 ⎦ −→ ⎣ 0 0 0 1 −3 ⎦ .
3 254 0 0000 0
The relationships between columns of R are much more transparent than that of
A. For example, we see that {r1 , r2 , r4 } is linearly independent (as a part of the
standard basis of R4 ) and that r1 + r2 − r3 = 0 and r5 = 2r1 + 3r2 − 3r4 .
Hence we can conclude that {a1 , a2 , a4 } is linearly independent, hence a basis of
span{a1 , a2 , . . . , a5 } and that a3 = a1 + a2 and a5 = 2a1 + 3a2 − 3a4 .
plays a significant role in algebra and applications. It can be defined over any field,
has a beautiful structure and can be calculated directly for any order.
More precisely, the following theorem is true.
Proof Since V2 = a2 − a1 we get a basis for induction. Suppose the theorem is true
for order n − 1. Consider the determinant
1 1 · · · 1
x
2 a22 · · · an2
x a · · · a
f (x) = 2 n
.. .. . . ..
. . . .
x n−1 a n−1 · · · a n−1
2 n
10.2 The Vandermonde Determinant 251
If we expand it using cofactors of the first column we will see that it has degree n − 1.
Also it is easy to see that f (a2 ) = · · · = f (an ) = 0 since, if we replace x with any
of the ai for i > 1, we will have a determinant with two equal columns. Hence
f (x) = C(x − a2 ) . . . (x − an ).
From the expansion of f (x) by cofactors of the first column we see that C =
Vn−1 (a2 , . . . , an ). Hence we have
The determinant
x1 x2 · · · xn
2
x1
x22 · · · xn2
. .. . . ..
Vn (x1 , x2 , . . . , xn ) = .. . . . (10.4)
x n−1 x2n−1 · · · xn
n−1
1
xn x2n · · · xn
1 n
The right-hand side is divisible by 133. Indeed, the first summand is divisible by
133 by induction hypothesis and the second is simply a multiple of 133. Thus
11n+3 + 122n+3 is divisible by 133, which completes the induction step and the
proof.
4. We have F0 = 3 and F1 = 5. We see that F0 = F1 − 2 and this is a basis for our
induction. The induction step
© Springer International Publishing Switzerland 2015 253
A. Slinko, Algebra for Applications, Springer Undergraduate Mathematics Series,
DOI 10.1007/978-3-319-21951-6_11
254 11 Solutions to Exercises
M − 2k = 2i1 + · · · + 2is ,
where i 1 < · · · < i s . Since M − 2k < 2k , it is clear that 2k > 2is . Therefore
M = 2i1 + · · · + 2is + 2k
M = 2i1 + · · · + 2is = 2 j1 + · · · + 2 jt .
and j1 > 0. But then the left-hand side is odd and the right-hand side is even.
This contradiction shows that such a minimal counterexample M does not exist
and all integers can be uniquely represented.
8. Consider a minimal counter example, i.e., any configuration of discs which cannot
be painted as required and which consists of the least possible number of discs.
Consider the centers of all discs and consider the convex hull of them. This hull
11.1 Solutions to Exercises of Chap. 1 255
is a convex polygon and each angle of it is less than 180◦ . If a disc with the centre
O is touched by two other discs with centres P and Q
1. The 2007th prime will not be stored in Primes so we have to use the command
NextPrimeInt to find it:
gap> p:=1;;
gap> n:=2007;;
gap> for i in [1..n] do
> p:=NextPrimeInt(p);
> od;
gap> p;
17449
(b) We know (see Exercise 4) that all primes p > 3 fall into two categories: those
for which p = 6k + 1 and those for which p = 6k + 5.
11.1 Solutions to Exercises of Chap. 1 257
N = p1 p2 . . . pn − 1.
It is easy to show that f (n) grows more slowly than n for n sufficiently large. For
example, we may use L’Hospital rule to show that
f (n)
lim = 0.
n→∞ n
This will be an absurdity since for large n there will not be enough prime factori-
sations for all positive integers between 1 and n.
258 11 Solutions to Exercises
m ≥ 3. Then √
n = p1 p2 . . . pm ≥ p1 p2 p3 > ( 3 n)3 = n,
22 · 33 · 44 · 55 = 210 · 33 · 55
11.1 Solutions to Exercises of Chap. 1 259
and the number of divisors will be (10 + 1)(3 + 1)(5 + 1) = 264. Note that we
cannot use the formula straight as 4 is not prime.
2. We factor this number with GAP:
gap> FactorsInt(123456789);
[ 3, 3, 3607, 3803 ]
Hence
Therefore the common divisors of 10650 and 6750 are the factors of 150, which
are 1, 2, 3, 5, 6, 10, 15, 25, 30, 50, 75, 150.
4. (a) We have gcd(m, n) = 22 · 54 · 112 ; lcm(m, n) = 24 · 32 · 57 · 72 · 113 .
(b) Using GAP we calculate
Also
6. Since the prime factorisation of 246 is 246 = 2 · 3 · 41, the prime factorisation
of 246246 will be
gcd(a 2 +b2 , a +b) = gcd((a 2 +b2 )+(a 2 −b2 ), a +b) = gcd(2a 2 , a +b) = 2.
3773 1 0
3596 0 1 1
177 1 −1 20
56 −20 21 3
9 61 −64 6
2 −386 405 4
1 1605 −1684 2
11.1 Solutions to Exercises of Chap. 1 261
a − b = kc − td.
Since the right-hand side is divisible by gcd(c, d), we see that a − b is divisible
by gcd(c, d) as well.
4. (a) The Extended Euclidean algorithm applied to 68 and 26 gives 2 =
gcd(68, 26) = 5 · 68 + (−13) · 26. Multiplying both sides by (35 − 9)/
2 = 13, we see that 35 − 9 = 13 · 5 · 68 − 13 · 13 · 26. Hence, the number
x = 35 + 13 · 13 · 26 = 9 + 13 · 5 · 68 = 4429 satisfies our congru-
ences. (There are many other solutions, all of them are congruent modulo
884 = lcm(26, 68); i.e., all these solutions are given by 4429 + 884 · n,
n ∈ Z .)
(b) The Extended Euclidean algorithm applied to 71 and 50 gives 1 = 27 · 50 +
(−19) · 71. Now, 15 = 19 − 4 and the number x = 4 + 15 · 27 · 50 =
19 + 15 · 19 · 71 = 20254 satisfies our congruences but is greater than 3550.
But x = x mod 3550 = 2504 is the unique solution of the two congruences
which lies in the interval [0, 3550).
5. (a) We know from Exercise 2 that gcd(1995, 1840) = 5. If there were integers x
and y satisfying 1840x + 1995y = 3, then 3 = 5(368x + 399y) and 3 would
be divisible by 5, a contradiction.
(b) Let C be the set of integers c for which there exist integers x and y satisfying
the equation ax + by = c, and let d = gcd(a, b). By the Extended Euclidean
Algorithm we know that there are some integers x0 , y0 , such that ax0 + by0 =
d. Let k be an arbitrary integer. Then a(kx0 ) + b(ky0 ) = kd, showing that
kd ∈ C, so C contains all multiples of gcd(a, b). Let us prove that C contains
nothing else. Write a = da and b = db , for some integers a and b ,
and take an arbitrary c ∈ C. Then, for some integers x and y, we have:
262 11 Solutions to Exercises
1. Using the prime factorization of these numbers and the formula for φ(n) we
compute:
p + q = 4472
pq = 4386607
333555 ≡ 43 ≡ 64 ≡ 1 mod 7.
555333 ≡ 23 ≡ 1 mod 7.
The result is not equal to 1 and this shows that by Fermat’s Little Theorem n is
not prime. Indeed, we see that n has four different prime factors:
gap> Factors(n);
[ 3, 3, 7, 19, 928163, 1111211111 ]
lcm(m 1 , m 2 , . . . , m k ) | (a − b),
which means the equivalence holds also for the least common multiple of the
m i ’s.
2. We have 72 ≡ −3 mod 25, 47 ≡ −3 mod 25 and 28 ≡ −3 mod 25. Thus
This shows that p and q are the roots of the quadratic equation x 2 − 4334x +
3312913 = 0 which roots are 3343 and 991. The result is n = pq = 3343 · 991.
264 11 Solutions to Exercises
12 = 72 = 92 = 152 = 1, 3 · 11 = 1, 5 · 13 = 1,
Hence
x = (77−1 ) 100 = 62 100 = 95,
74 x ⊕ 11 = 0 ⇒ 74 x = −11 = 100,
and there are no solutions because {74 x | x ∈ Z111 } = {0, 37, 74}.
4. Since we will have only operations in Zn for various n but not in Z we will write
+ and · instead of ⊕ and . Recall that a function from a set A to A itself is
one-to-one if no two (different) elements of A are mapped to the same element
of A. For a finite set this is also equivalent to f being onto which can be also
restated as the range of f being all of Z21 .
(a) If a is a zero-divisor in Z21 , that is, if there is an element d = 0 in Z21 , such
that ad = 0 mod 21, then f (d) = ad + b = b = f (0), and f is not one-to-
one. On the other hand, if a is not a zero divisor, then gcd(a, 21) = 1, and
there exists (a unique) element c ∈ Z21 satisfying ac = 1 mod 21. But then
f (x1 ) = f (x2 ) implies cf(x1 ) = cf(x2 ), or c(ax1 + b) = c(ax2 + b), which
reduces to x1 + cb = x2 + cb and finally implies that x1 = x2 , proving that
11.1 Solutions to Exercises of Chap. 1 265
f is one-to-one in this case. The set of pairs (a, b), for which the function
f is one-to-one is therefore {(a, b) | a, b ∈ Z21 and gcd(a, 21) = 1}.
(b) Since 7 is not relatively prime with 21 the function f is not one-to-one, and
so the image of f is a proper subset of Z21 . The expression 7x, for x ∈ Z21 ,
takes only three values in Z21 , namely 0 if x is a multiple of 3, 7 if x is
congruent to 1 modulo 3, and 14 if x is congruent to 2 modulo 3. The image
of f is therefore {3, 10, 17}.
(c) The condition f −1 ( f (x)) = x, for all x ∈ Z21 , is equivalent to c(ax +
b) + d = x, or (ac)x + (cb + d) = x. It is sufficient to take ac = 1 and
cb + d = 0. We can find c by solving the equation 4c + 21y = 1 using
the Extended Euclidean Algorithm, which gives us c = −5, y = 1, or
better, c = 16, y = −3. Now, d = −cb = −16 · 15 = 12 mod 21. So,
f −1 (x) = 16x + 12.
5. Fermat’s Little Theorem says that if p is prime and a is not divisible by p, then
a p−1 ≡ 1 mod p. Hence x 10 = 1 in Z11 . So x 102 = x 2 in Z11 . The equation
x 2 = 4 has in Z11 two solutions: x1 = 2 and x2 = −2 = 9.
6. Since m is odd, gcd(m, 2) = 1, whence 2φ(m) ≡ 1 mod m. Thus 2φ(m)−1 ≡
2−1 mod m which is the inverse of 2 in Zm . Since m is odd, m + 1 is an even
number and (m + 1)/2 is an integer. This number is the inverse of 2 in Zm since
2 (m + 1)/2 = 1. Therefore 2φ(m)−1 ≡ (m + 1)/2 mod m.
7. If ( p − 1)! ≡ −1 mod p, then gcd( j, p) = 1 for all j ∈ Z∗p . Hence p is prime. If
p is prime, then the equation x 2 = 1 in Z p is equivalent to (x − 1)(x + 1) = 0,
hence has only two solutions x = ±1, that is, either x = 1 or x = p − 1. Then for
every j ∈ {2, . . . , p − 2} we have j −1 = j. This means 2 · 3 · . . . · ( p − 2) = 1.
Hence ( p − 1)! = p − 1 = −1.
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Plaintext B U Y M O R E P R O P E R T Y
pi 1 20 24 12 14 17 4 16 17 14 16 4 17 19 24
Key T O D A Y I W I L L G O O N C
ki 19 14 3 0 24 8 22 8 11 11 6 14 14 13 2
pi + ki = ci 20 8 1 12 12 25 0 24 2 25 22 18 5 6 0
Cyphertext U I B M M Z A Y C Z W S F G A
i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Cyphertext R C X R N W O A P D Y W C A U
ci 17 2 23 17 13 22 14 0 15 3 24 22 2 0 20
Key T O D A Y I W I L L G O O N C
−ki 7 12 23 0 2 18 4 18 15 15 20 12 12 13 24
ci + (−ki ) = pi 24 14 20 17 15 14 18 18 4 18 18 8 14 13 18
Plaintext Y O U R P O S S E S S I O N S
i 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Cyphertext E R K Y W H Z R G S X Q J W
ci 4 17 10 24 22 7 25 17 6 18 23 16 9 22
Key E A G A I N I N T O L I F E
−ki 22 0 20 0 18 13 18 13 7 12 15 18 21 22
ci + (−ki ) = pi 0 17 4 24 14 20 17 4 13 4 12 8 4 18
Plaintext A R E Y O U R E N E M I E S
11.2 Solutions to Exercises of Chap. 2 267
3. The message as a numerical string will be: [8, 7, 0, 21, 4, 13, 14, 19, 8, 12, 4, 19,
14, 7, 0, 19, 4].
gap>#Entering the key:
gap> k:=random;;
gap>#Entering the message:
gap> p:=[ 8, 7, 0, 21, 4, 13, 14, 19, 8, 12, 4, 19, 14, 7, 0, 19, 4 ];;
gap> c:=[1..Length(p)];
[ 1 .. 17 ]
gap> for i in [1..Length(p)] do
> c[i]:=(p[i]+k[i]) mod 26;
> od;
gap> c;
[ 6, 0, 16, 4, 5, 22, 12, 17, 23, 15, 16, 22, 24, 18, 21, 16, 23 ]
gap># which in letters will be GAQEFWMRXPQWYSVQX
gap> # Decoding back:
gap> q:=[1..Length(p)];;
gap> for i in [1..Length(p)] do
> q[i]:=(c[i]-k[i]) mod 26;
> od;
gap> p=q;
true
and the plaintext for DRDOFP is SYSTEM. We can calculate the latter using
subprograms LtoN and NtoL:
gap> str := "DRDOFP"; ;
gap> outstr := "A";
gap> for i in [1..Length(str)] do
> outstr[1] := NtoL( (19*LtoN( str[i] ) + 13) mod 26);
> Print( outstr );
> od;
SYSTEM
3. Since the letter F was encrypted as N, and the letter K was encrypted as O. Then
for the encryption function f (x) = ax + b mod 26 we will have f (5) = 13 and
f (10) = 14. Solving the system of equations in Z26
268 11 Solutions to Exercises
5a + b = 13,
10a + b = 14
we find a = 21 and b = 12, hence the key is the pair (21, 12).
With GAP this would be
gap> M:=[[5,1],[10,1]];
[ [ 5, 1 ], [ 10, 1 ] ]
gap> rhs:=[13,14];
[ 13, 14 ]
gap> [a,b]:=Mˆ-1*rhs mod 26;
[ 21, 12 ]
Since the most frequent letter in the cyphertext is c and in English texts this
role is usually played by e, our guess is that the encryption function f (x) =
ax + b mod 26 maps the integer value of e, which is 4, to the integer value of c,
which is 2. This gives the first equation:
The second most frequent letter in English is t, while in our cyphertext the second
place is shared by x and i. Suppose first that the letter t was encrypted to x. Then
which is obviously not an English text. Our guess that t was encrypted to x must
therefore be wrong. We get similar nonsense if we assume that t is encrypted to i.
We can either proceed in this fashion until we get something meaningful, or
observe that in our cyphertext the group of three letters ljc is very frequent. Since
our guess is that c is in fact encrypted to e, it is very plausible that the group ljc
represents the word the. If this is the case, then t is encoded to l, which gives the
equation
19a + b = 11 mod 26, (11.3)
This, together with (11.1), implies that a = 11 and b = 10. The decrypting
function is then g(x) = 19x + 18. Decrypting the cyphertext with g gives the
following plaintext:
three rings for the eleven kings under the sky seven for the dwarf lords in their halls of stone
nine for mortal men doomed to die one for the dark lord on his dark throne in the land of
mordor where the shadows lie one ring to rule them all one ring to find them one ring to
bring them all and in the darkness bind them in the land of mordor where the shadows lie
1 12 16
det = 13, det = 17.
12 1 61
Since 13 is not relatively prime to 26 the first matrix is not invertible because
its determinant is not invertible. Since 17−1 = 23 exists the second matrix is
invertible with
−1
16 1 20 23 18
= 23 = .
61 20 1 18 23
16
M=
61
then compute
24 16 24 22
M = =
4 61 4 18
270 11 Solutions to Exercises
and
0 16 0 24
M = = .
17 61 17 17
−1 17 23 18 17 19
M = =
14 18 23 14 4
and
−1 11 23 18 11 17
M = = .
10 18 23 10 12
2. Let v = (x, y)T be the vector of numerical encodings for X and Y, respectively.
Then we know that K (K v) = v, that is K 2 v = v. Of course, v = (0, 0)T is one
solution. If v = 0, then it is an eigenvector of K 2 belonging to the eigenvalue 1.
We have
2 54 10 44
K −I = − =
45 01 44
The nullspace of this matrix is spanned by the vector (1, −1)T = (1, 25)T
The other eigenvectors will be (2, −2)T = (2, 24)T , etc. up to (13, −13)T =
(13, 13)T . Together with (0, 0)T we will have 14 pairs:
ab
K = .
cd
11.2 Solutions to Exercises of Chap. 2 271
The first 4 letters of the ciphertext correspond to the vectors (13, 22) and (14, 11).
The first 4 letters of the message correspond to (3, 4) and (0, 17). Hence, the secret
key satisfies the equations
ab 3 13 ab 0 14
≡ , ≡ mod 26.
cd 4 22 cd 17 11
Using the second equations first we find 17b ≡ 14 (mod 26) and 17d ≡ 11
(mod 26). Compute 17−1 ≡ −3 ≡ 23 (mod 26) using the extended Euclidean
algorithm (or Gcdex in GAP) and hence determine that b = 10 and d = 19.
Now use the first equations to solve for a and c. One has 3a ≡ 13−4b (mod 26).
Since 3−1 ≡ 9 (mod 26) one determines that a = 17. Similarly, 3c ≡ 22 − 4d
(mod 26) and so c = 8.
Now that one has the key, compute
5 22
K −1 =
2 25
(the letter X at the end was added to make the total number of letters in the
message even).
4. Firstly we input what is given: the key K and the cryptotext c:
gap> K:=[ [ 1, 2, 3, 4, 5 ], [ 9, 11, 18, 12, 4 ], [ 1, 2, 8, 23, 3 ],
[ 7, 14, 21, 5, 1 ], [ 5, 20, 6, 5, 0 ] ];;
gap> c:= [ 24, 12, 9, 9, 4 ], [ 4, 25, 10, 4, 22 ], [ 7, 11, 16, 16, 8 ],
[ 18, 3, 9, 24, 9 ], [ 2, 19, 24, 4, 20 ], [ 1, 24, 10, 5, 1 ],
[ 22, 15, 1, 1, 4 ] ];;
gap>#Calculating the inverse of the key matrix:
gap> M:=Kˆ-1 mod 26;
[ [ 21, 16, 22, 25, 11 ], [ 17, 9, 22, 21, 9 ], [ 6, 10, 23, 17, 20 ],
[ 13, 14, 8, 11, 2 ], [ 22, 2, 3, 4, 17 ] ]
gap># Preparing the list for the plaintext:
gap> p:=[[],[],[],[],[],[],[],[],[],[],[],[]];;
gap>#Calculating the plaintext:
gap> for i in [1..12] do
> p[i]:=c[i]*M mod 26;
> od;
gap> p;
[ [ 12, 0, 19, 7, 4 ], [ 12, 0, 19, 8, 2 ], [ 8, 0, 13, 18, 0 ],
[ 17, 4, 12, 0, 2 ], [ 7, 8, 13, 4, 18 ], [ 5, 14, 17, 2, 14 ],
[ 13, 21, 4, 17, 19 ], [ 8, 13, 6, 2, 14 ], [ 5, 5, 4, 4, 8 ],
[ 13, 19, 14, 19, 7 ], [ 4, 14, 17, 4, 12 ], [ 18, 25, 25, 25, 25 ] ]
gap># This reads: "Mathematicians are machines for conversion of coffee into
gap># theorems."
gap># This famous statement belongs to Paul Erd\"{o}s.
5. Let us start with some brief Linear Algebra preliminaries. Let R be a commutative
ring and A be an n × n matrix with entries from R.
272 11 Solutions to Exercises
1. We have
4014
where k1 = ln 2 . If we continue applying L’Hospital rule 4014 times, we will
obtain
x 2007 1
lim √ = k4014 · lim √ = 0.
x→∞ 2 x x→∞ 2 x
Since lim x→∞ ψ(x) = lim x→∞ χ(x) = ∞, we can apply L’Hospital’s rule to
get
χ(x) χ (x)
lim = lim
x→∞ ψ(x) x→∞ ψ (x)
ln x − 1 1 1
= lim · 1
= lim 1 − = 1,
x→∞ (ln x)2 x→∞ ln x
ln x
where we differentiated χ(x) using the Quotient rule and ψ(x) using the Funda-
mental Theorem of Calculus.
5. (a) We have f (n) = o(g(n)) since
(ln n)1000
lim = 0.
n→∞ n 10
This can be established by L’Hospital’s rule:
n 10 10n 9 10!
lim = lim = · · · = lim = 0.
n→∞ en/3 n→∞ 1/3en/3 n→∞ (1/3)10 en/3
This is faster than constant but slower than n 2 . Hence we have to order the
functions as f (n), h(n), g(n).
6. The algorithm is based on the observation that the equality
√ i
i n = n
Thus the program performs log2 n operations RootInt, hence its complexity is
linear in the number of bits of n, which is the size of the input.
gap> i:=1;;
gap> ell:=LogInt(n,2);
2121
gap> while i<(ell+1) do
> if RootInt(n,i)ˆi=n then
> m:=RootInt(n,i);
> k:=i;
> fi;
> i:=i+1;
> od;
gap> m;
113
gap> k;
311
Hence n = 113311 .
7. (a) We have
n n! 1
= = n(n − 1) · · · (n − k + 1) ∼ (n k )
k k!(n − k)! k!
The function H (α) = −(α log2 α + β log2 β) is called the Entropy function.
We get as a result that
n
∼ en H (α) ,
αn
1. (a) The exact number of bits required to input an integer N will be log2 N . We
are interested in integers between 1099 and 10100 , so we have
1234567 = 1001011010110100001112 .
n
n(n − 1)
|Sx | ≤ (i − 1) = = (n 2 ).
x
2
i=1
We also need to check that this can actually occur, and clearly it can, for example,
the list {n, n − 1, . . . , 2, 1} will require this number of swaps.
3. In the worst-case
√ scenario
√ we might need (log2 N )3 divisions. For large N , this
is less than N / ln N divisions required by the standard algorithm. Therefore
some composite numbers together with primes might be declared to be interesting.
This algorithm has polynomial complexity. Indeed, since we may consider that
N ≈ 2n , where n is the number of bits necessary to input N , the worst-case
complexity function is f (n) ≈ (log2 2n )3 = n 3 . It is cubic.
4. (a) Obviously f n ≥ f n−1 . Hence f n = f n−1 + f n−2 ≤ 2 f n−1 . We have f n+5 =
f n+4 + f n+3 = 2 f n+3 + f n+2 = 3 f n+2 + 2 f n+1 = 5 f n+1 + 3 f n = 8 f n +
5 f n−1 > 8 f n + 4 f n−1 ≥ 8 f n + 2 f n = 10 f n .
(b) We may assume a > b. We use the Euclidean algorithm to find:
a = q1 b + r 1 , 0 < r1 < b,
b = q2 r 1 + r 2 , 0 < r2 < r1 ,
r 1 = q3 r 2 + r 3 , 0 < r3 < r2 ,
..
.
rs−2 = qs rs−1 + rs , 0 < rs < rs−1 ,
rs−1 = qs+1 rs .
1. As e1 = 2145 and φ(n) = 11200 are obviously not coprime (they have a factor
5 in common), e1 cannot be used in a public key. On the other hand, e2 = 3861
is coprime with φ(n) and the Extended Euclidean algorithm gives us 1 = 1744 ·
11200 + (−5059) · 3861. So d = 11200 − 5059 = 6141. Checking with GAP:
gap> QuotientMod(1,3861,11200);
6141
11.2 Solutions to Exercises of Chap. 2 277
2. We first need to calculate Bob’s private key which is e−1 mod φ(n) =
113−1 mod 120 = 17 and then calculate 9717 mod 143 = 15. So the letter
was ‘E’.
3. Bob calculates m 2 , m 4 , m 8 , m 16 , m 32 by successive squaring. Then he multiplies
m 32 · m 8 · m = m 41√using in total 7 multiplications.
5. (a) We calculate 20687 = 143. Assuming that 20687 is a product of two
three-digit primes, the smallest prime factor of 20687 should be one of these
primes:
Trying all of them we find that 20687 = 137 · 151. Thus φ(20687) = 136 ·
150 = 20400. Now we may compute Alice’s private key which is d =
17179−1 mod 20400. We compute
20400 1 0
17179 0 1
3221 1 −1
1074 −5 6
1073 11 − 13
1 −16 19
6. (a) The cyphertext Alice needs to send to Bob is c = m e mod n = 1831003 mod
24613. Without GAP, this number can be efficiently calculated as follows:
first, find the binary representation e = 1111101011(2) and construct the
sequence (computed in Z n )
278 11 Solutions to Exercises
m0 =m= 183,
m1 = m02 = 8876,
2
m2 = m12 = m02 = 21776,
3
m3 = m22 = m02 = 118,
4
m4 = m32 = m02 = 13924,
5
m5 = m42 = m02 = 1175,
6
m6 = m52 = m02 = 2297,
7
m7 = m62 = m02 = 9027,
8
m8 = m72 = m02 = 17699,
9
m9 = m82 = m02 = 4950.
Now,
9 +28 +27 +26 +25 +23 +2+1
c =1832 mod n =
((((((m 9 m 8 ) m 7 ) m 6 ) m 5 ) m 3 ) m 1 ) m 0 = 20719.
(b) The private key d and the public key e satisfy the equation ed = 1 mod φ(n),
or equivalently, ed + yφ(n) = 1. The Extended Euclidean Algorithm gives a
negative solution d = −533, which is congruent to d = d + φ(n) = 23767
modulo φ(n).
gap> QuotientMod(1,e, 24300);
23767
1. The double encryption with e1 and then with e2 is the same as one encryption
with e = e1 e2 , since c2 ≡ c1e2 ≡ (m e1 )e2 ≡ m e1 e2 mod n. As gcd(e1 e2 , φ(n)) =
1, the product e1 e2 is another legitimate exponent. For decryption we can use
exponent d = d1 d2 , since e1 e2 d1 d2 ≡ 1 mod φ(n) and m ≡ (c2d2 )d1 ≡ c2d1 d2
mod n. Thus double encryption is the same as a single encryption (with another
exponent) and it does not increase security over single encryption.
2. Eve has to try to factorise n and if it is successful, then calculate φ(n) and then
Alice’s private decryption exponent d.
11.2 Solutions to Exercises of Chap. 2 279
gap> n:=30796045883;
30796045883
gap> e:=48611;
48611
gap> factors:=FactorsInt(n);
[ 163841, 187963 ]
gap> # So the factorisation was successful!
gap> phi:= (factors[1]-1)*(factors[2]-1);
30795694080
gap> d:=QuotientMod(1,e,phi);
20709535691
gap> # Eve inputs cryptotext in the list c
gap> c:=[ 5272281348, 21089283929, 3117723025, 26844144908, 22890519533,
26945939925, 27395704341, 2253724391, 1481682985, 2163791130,
13583590307, 5838404872, 12165330281, 28372578777, 7536755222 ];;
gap> # Now she decodes the crytpotext writing the output into the list m:
gap> m:=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];;
gap> for i in [1..15] do
> m[i]:=PowerMod(c[i],d,n);
> od;
gap> m;
[ 2311301815, 2311301913, 2919293018, 1527311515, 2425162913, 1915241315,
1124142431, 2312152830, 1815252835, 1929301815, 2731151524, 2516231130,
1815231130, 1913292116, 1711312929 ]
gap> # This reads:"Mathematics is the queen of sciences and number theory
gap> # is the queen of mathematics KF GAUSS"
This reads:
THIS IS MY LETTER TO THE WORLD THAT NEVER WROTE TO ME
EMILY DICKINSON
1. (a) The test (b, 91) reveals compositeness of 91 with probability 2/89 for the
interval b ∈ {2, . . . , 90} as only b = 7 and b = 13 are divisors of 91.
(b) There are n−φ(n)−1 = 18 numbers b in {2, 3, . . . , 90} that are not relatively
prime to n = 91 and will reveal compositeness of n = 91. The probability
sought for is 18/89.
2. Since φ(91) = 72, by Euler’s theorem 572 ≡ 1 mod 91. Hence 5090 ≡
5018 mod 91 and since 18 = 16 + 2 = (10010)(2) we have to compute 52 and
516 . We compute in Z91 as follows: 52 = 25, 54 = 252 = 79, 58 = 792 = 53,
516 = 532 = 79. Hence 518 = 64 and 590 ≡ 1 (mod 91). We know that 91 is
composite by the third test.
3. We use Exercise 4 of Sect. 1.1.1 as follows:
n
22
2 Fn − 2 = 2 2 Fn −1 − 1 = 2 2 + 1 − 2 = 2(F2n − 2) = 2F0 F1 . . . F2n −1 .
735 − 1 ≡ 240 mod 561, 735 + 1 ≡ 242 mod 561, 770 + 1 ≡ 299 mod 561,
a p−1 ≡ 1 mod p 2 .
This must be true for all a relatively prime to pk and in particular for a = p − 1.
But using binomial expansion we find that
( p − 1) p−1 ≡ ( p − 1) p + 1 ≡ 1 − p mod p 2 ,
Bob can verify that message is from Alice by computing s e A mod n A . If the
message is from Alice, then the result will be m, which is indeed the case.
gap> nA:=171024704183616109700818066925197841516671277;;
gap> eA:=1571;;
gap> ms:=PowerMod(s,eA,nA);
1234567890000000000987654321
gap> ms=m;
true
1. We have:
(a) f ◦ g(x) = sin1 x , and g ◦ f (x) = sin x1 ;
√ √
(b) f ◦ g(x) = e x = e x/2 , and g ◦ f (x) = e x .
2. Indeed, Rθ ◦ R2π−θ = id since this composition is a rotation through an angle
of 2π.
3. We have H ◦ H = id.
4. Without loss of generality we may assume that our permutations fixed elements
n − k + 1, n − k + 2, . . . , n. Any such permutation can be identified with per-
mutations on the set {1, 2, . . . , n−k}. Hence there are (n − k)! of them.
5. We have
hence
12345678
σ= .
51627384
The numbers in the last row are all different, hence this is a one-to-one mapping,
hence a permutation.
6. Since for finite sets one-to-one implies onto, it is enough to prove that π is
one-to-one. Suppose π(k1 ) = π(k2 ). Then 3k1 ≡ 3k2 mod 13, which implies
k1 ≡ k2 mod 13 since 3 and 13 are coprime. Hence π is one-to-one and is a
permutation.
7. Since i 2 ≡ (13 − i)2 mod 13, the mapping is not one-to-one. We have
12 mod 13 = 1, 22 mod 13 = 4, 32 mod 13 = 9, 42 mod 13 = 3,
52 mod 13 = 12, and 62 mod 13 = 10. Therefore 2, 5, 6, 7, 8, 11 are not
in the range of τ , hence it is not onto.
284 11 Solutions to Exercises
8. We have
123456 123456
ρ= , ρ2 = , ρ3 = id.
345612 561234
Hence
123456
ρ−1 = ρ2 = .
561234
2 −1
τ = id, hence τ = τ .
We also have
123456789
9. (σγ)−1 = . Calculating this with GAP:
913765842
gap> sigma:=PermList([2,4,5,6,1,9,8,3,7]);;
gap> gamma:=PermList([6,2,7,9,3,8,1,4,5]);
gap> mu:=sigma*gamma;;
gap> ListPerm(muˆ-1);
[ 9, 1, 3, 7, 6, 5, 8, 4, 2 ]
1. Let π = στ , where σ and τ are disjoint cycles. Suppose σ moves elements of the
set I and τ moves elements of the set J . Since these cycles are disjoint, I and J
have no elements in common. Let K = {1, 2, . . . , n} \ (I ∪ J ). Then π(i) = σ(i)
for i ∈ I , π( j) = τ ( j) for j ∈ J and π(k) = k for k ∈ K . We obtain exactly the
same result for π = τ σ.
2. The calculation shows
1 2 3 4 5 6 7 8 9 10 11 12
π= = (1 3 9)(2 6 5)(4 12 10)(7 8 11).
3 6 9 12 2 5 8 11 1 4 7 10
3. (1 4 3)(2 5).
123456789
4. (στ )−1 = = (1 6 7 5 4 8)(2 9 3).
692847513
Solutions to Exercises of Sect. 3.1.4
1. (a) Since
123456789
σ= = (1 5)(2 3 6)(4 7 8 9),
536712894
(a) gap> j:=[ 3, 6, 9, 12, 15, 18, 21, 24, 27, 30, 33, 36, 39, 1, 5, 10, 14,
19, 23, 28, 32, 37, 41, 7, 13, 20, 26, 34, 40, 8, 17, 29, 38, 11, 25, 2,
22, 4, 35, 16, 31 ];;
gap> J:=PermList(j);
(1,3,9,27,26,20,28,34,11,33,38,4,12,36,2,6,18,19,23,41,31,17,14)(5,15)
(7,21,32,29,40,16,10,30,8,24)(13,39,35,25)(22,37)
3. The mapping i → 13i mod 23 is one-to-one mapping of S22 into itself since 13
and 23 are relatively prime. Now
gap> list:=[1..22];;
gap> for i in [1..22] do
> list[i]:=13*i mod 23;
> od;
gap> list;
[ 13, 3, 16, 6, 19, 9, 22, 12, 2, 15, 5, 18, 8, 21, 11, 1, 14, 4, 17, 7, 20, 10 ]
gap> PermList(list);
(1,13,8,12,18,4,6,9,2,3,16)(5,19,17,14,21,20,7,22,10,15,11).
The order of this permutation is 2, so repeating this shuffle twice will bring cards
to the initial order.
2. We know that the interlacing shuffle is defined by the equation σ(i) = 2i mod 105.
Thus we have:
gap> lastrow:=[1..104];
[ 1 .. 104 ]
gap> for i in [1..104] do
> lastrow[i]:=2*i mod 105;
> od;
gap> s:=PermList(lastrow);
(1,2,4,8,16,32,64,23,46,92,79,53)(3,6,12,24,48,96,87,69,33,66,27,54)(5,10,20,
40,80,55)(7,14,28,56)(9,18,36,72,39,78,51,102,99,93,81,57)(11,22,44,88,71,37,
74,43,86,67,29,58)(13,26,52,104,103,101,97,89,73,41,82,59)(15,30,60)(17,34,68,
31,62,19,38,76,47,94,83,61)(21,42,84,63)(25,50,100,95,85,65)(35,70)(45,90,
75)(49,98,91,77)
gap> Order(s);
12
When k units of time pass, they will exchange places according to the permutation
σ k . If σ is the product of m disjoint cycles of length 1 , 2 , . . . , m , respectively,
then σ is the identity permutation for = lcm(1 , 2 , . . . , m ) being the order
of σ. Hence after units of time all beetles will occupy their initial positions.
Solutions to Exercises of Sect. 3.1.6
1. Using Eq. (3.5) we get
(1 3 7)(5 7 8)(2 3 4 6 9) = (1 3)(1 7)(5 7)(5 8)(2 3)(2 4)(2 6)(2 9).
11.3 Solutions to Exercises of Chap. 3 287
(1 3 7)(5 7 8)(2 3 4 6 9) = (1 4 6 9 2 3 8 5 7) = (1 4)(1 6)(1 9)(1 2)(1 3)(1 8)(1 5)(1 7).
2. It is odd. We can prove by induction that the product of an odd number of odd
permutations is odd. Suppose this is true for any 2n−1 odd permutations. Consider
the product = π1 . . . π2n+1 . We can write it as
The induction hypothesis gives us that the first bracket is odd and the second, by
Theorem 3.1.6(ii), is even. Then is even by Theorem 3.1.6(iii).
3. We must consider four cases, here we will consider only one: π is even and ρ is
odd. By Theorem 3.1.6(iv) ρ−1 is also odd. Then, by Theorem 3.1.6, ρ−1 π is odd
and ρ−1 πρ is even. Hence π and ρ−1 πρ have the same parity. The other three
cases are similar.
4. By the previous exercise π −1 ρ−1 π has the same parity as ρ. Hence, by
Theorem 3.1.6, π −1 ρ−1 πρ is an even permutation.
5. If n = 2k, this permutation is a product
(1 n)(2 n − 1) . . . (k k + 1).
If n = 2k + 1, then
(1 n)(2 n − 1) . . . (k k + 2).
1. The two positions differ only by a switch of neighboring squares 10 and 14. In
this case the corresponding permutations will be of different parities, hence only
one of them is realizable.
2. Calculating the corresponding permutations in GAP:
gap> first:=[1,3,2,4,6,5,7,8,9,13,15,11,14,10,12,16];
[ 1, 3, 2, 4, 6, 5, 7, 8, 9, 13, 15, 11, 14, 10, 12, 16 ]
gap> s:=PermList(first);
(2,3)(5,6)(10,13,14)(11,15,12)
2iπ 2iπ
ψi = cos + sin , i = 0, 1, 2, . . . , n − 1.
n n
g1 ((g2 g3 )g4 )) = g1 (g2 (g3 g4 )) = (g1 g2 )(g3 g4 ) = (g1 g2 )g3 )g4 = (g1 (g2 g3 ))g4 .
we calculate that the orders of the elements 5, 1331, and 594473 will be 16427202,
12342, and 7986, respectively. Indeed,
gap> n:=16427202;; i1:=5;; i2:=1331;; i3:=594473;;
gap> order1:=n/GcdInt(i1,n);order2:=n/GcdInt(i2,n);order3:=n/GcdInt(i3,n);
16427202
12342
7986
2. Using the formula as in the previous exercise we see that to have order 7 the
element i must satisfy gcd(i, 84) = 84/7 = 12. We have six such elements: 12,
24, 36, 48, 60, 72.
3. The order of i ∈ Zn is calculated as
n
ord (i) = = 87330619392.
gcd(i, n)
4. This is a group of order 4 but each non-zero element has order 2. Hence all cyclic
subgroups have order 2 and the group is not cyclic.
5. We know that σn (i) = 2i mod 2n + 1 Suppose σnk = id for some k. Then
2k i ≡ i mod 2n + 1 for all i including those which are relatively prime to
2n + 1. By Lemma 1.3.3(d) this is equivalent to 2k ≡ 1 mod 2n + 1. Hence the
order of σn is equal to the order of 2 in Z∗2n+1 .
ψi ψ j = ψi⊕ j .
a −b
τ (a + bi) = .
b a
This mapping is one-to-one and onto. Also let z 1 = a + bi and z 2 = c + di. Then
and
a −b c −d ac − bd −ad − bc
= ,
b a d c ad + bc ac − bd
disjoint pairs {g, g −1 }. Then G \ {1} has an even number of elements and G has
an odd number of elements. This is a contradiction.
5. Suppose G is a subgroup of C∗ and |G| = n. Then, by Corollary 3.2.3, g n = 1
for every g ∈ G. This implies G = Cn since elements of G must then coincide
with n roots of unity in C.
(b) Since the order of E is 8, Lagrange’s Theorem tells us that the order of P
is a factor of 8, i.e., 2 or 4 or 8. Then: 2(0, 1) = (0, 1) + (0, 1) = (3, 11),
4(0, 1) = (3, 11) + (3, 11) = (6, 0), and 8(0, 1) = (6, 0) + (6, 0) = ∞, so
the order of P is 8 and the group G is a cyclic group with P as generator.
6. gap> p:=46301;;
gap> G:=EllipticCurveGroup(7,11,p);
EllipticCurveGroup(7,11,46301)
gap> Order(G);
46376
gap> IsCyclic(G);
true
292 11 Solutions to Exercises
2(4, 1) = (3, 3), 3(4, 1) = (2, 0), 4(4, 1) = (3, 2), 5(4, 1) = (4, 4), 6(4, 1) = ∞
( p−1)/2
p−1
a 2 = ci · ci = ( p − 1)! = −1.
i=1
2. gap> Pˆ123;
( 208576, 85861 )
3. 1729 = 110110000012 , so GAP will first perform 10 additions to calculate
2 · P, 4 · P, . . . 1024 · P, and then a further 4 additions to compute the sum
P + 64 · P + 128 · P + 512 · P + 1024 · P.
4. gap> Order(P);
346543
5. gap> Size(G);
346543
# The order of P coincides with the order of G so P is a generator.
gap> a:=Random([1..2ˆ28]);
199280309
gap> PowerMod(a,(p-1)/2,p);
1
# And this shows that 199280309 is a quadratic residue.
gap> b:=RootMod(a,p);
286534778672701806664621728123564904392266164296221884
gap> a=bˆ2 mod p;
true
# So indeed b is a square root of a.
gap> x3:=x3+1;
2311293
gap> f3:=(x3ˆ3+123*x3+456) mod p;
9091481
gap> RootMod(f3,p);
fail
gap> x3:=x3+1;
2311294
gap> f3:=(x3ˆ3+123*x3+456) mod p;
182728
gap> RootMod(f3,p);
6775980
gap>
1. I will first show how the message was encrypted and then show how to decrypt it.
You have to do the opposite: first decrypt the message and then encrypt a message
of your own.
gap> Read("elliptic.gd");
gap> Read("elliptic.gi");
gap> # Defining the curve:
EllipticCurveGroup(0,12345,95701)
gap> P:=Random(G);
( 91478, 65942 )
gap> # Encoding the message "I’m nobody. Who are you?"
gap> M:=[0,0,0,0,0,0,0,0,0,0,0,0];
[ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ]
gap> M[1]:=EllipticCurvePoint(FamilyObj(P),[1942,37617]);
( 1942, 37617 )
gap> M[2]:=EllipticCurvePoint(FamilyObj(P),[2341,44089]);
( 2341, 44089 )
gap> M[3]:=EllipticCurvePoint(FamilyObj(P),[2425,89535]);
( 2425, 89535 )
gap> M[4]:=EllipticCurvePoint(FamilyObj(P),[1225,46279]);
( 1225, 46279 )
gap> M[5]:=EllipticCurvePoint(FamilyObj(P),[1435,60563]);
( 1435, 60563 )
gap> M[6]:=EllipticCurvePoint(FamilyObj(P),[43410,66195]);
( 43410, 66195 )
gap> M[7]:=EllipticCurvePoint(FamilyObj(P),[3318,58656]);
( 3318, 58656 )
gap> M[8]:=EllipticCurvePoint(FamilyObj(P),[25413,63045]);
( 25413, 63045 )
gap> M[9]:=EllipticCurvePoint(FamilyObj(P),[1128,14737]);
( 1128, 14737 )
gap> M[10]:=EllipticCurvePoint(FamilyObj(P),[1541,72018]);
( 1541, 72018 )
gap> M[11]:=EllipticCurvePoint(FamilyObj(P),[3525,29201]);
( 3525, 29201 )
gap> M[12]:=EllipticCurvePoint(FamilyObj(P),[3145,46983]);
( 3145, 46983 )
gap> M;
[ ( 1942, 37617 ), ( 2341, 44089 ), ( 2425, 89535 ), ( 1225, 46279 ),
( 1435, 60563 ), ( 43410, 66195 ), ( 3318, 58656 ), ( 25413, 63045 ),
( 1128, 14737 ), ( 1541, 72018 ), ( 3525, 29201 ), ( 3145, 46983 ) ]
gap> # In M[6] and M[8] we had to add an additional fifth digit in order
gap> # to get a point.
( 88134, 77186 )
gap> QkA:=EllipticCurvePoint(FamilyObj(P),[27015, 92968]);
( 27015, 92968 )
gap> # All Bob needs for encryption is QkA which is in the public domain.
gap> C:=[0,0,0,0,0,0,0,0,0,0,0,0];
[ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ]
gap> for i in [1..12] do
> C[i]:=[P,P];
> s:=Random([1..(p-1)]);
> C[i][1]:=Qˆs;
> C[i][2]:=M[i]*(QkA)ˆs;
> od;
gap> C;
[ [ ( 87720, 6007 ), ( 59870, 82101 ) ], [ ( 34994, 7432 ), ( 36333, 86213 ) ],
[ ( 50702, 2643 ), ( 33440, 56603 ) ], [ ( 34778, 12017 ), ( 81577, 501 ) ],
[ ( 93385, 52237 ), ( 38536, 21346 ) ], [ ( 63482, 12110 ), ( 70599, 87781 ) ],
[ ( 16312, 46508 ), ( 62735, 69061 ) ], [ ( 64937, 58445 ), ( 41541, 36985 ) ],
[ ( 40290, 45534 ), ( 11077, 77207 ) ], [ ( 64001, 62429 ), ( 32755, 18973 ) ],
[ ( 81332, 47042 ), ( 35413, 9688 ) ], [ ( 5345, 68939 ), ( 475, 53184 ) ] ]
gap> # Now Alice decrypts this message using her private key kA
gap> kA:=373;
373
gap> for i in [1..12] do
> M1[i]:=C[i][2]*((C[i][1])ˆkA)ˆ-1;
> od;
gap> M1;
[ ( 1942, 37617 ), ( 2341, 44089 ), ( 2425, 89535 ), ( 1225, 46279 ),
( 1435, 60563 ), ( 43410, 66195 ), ( 3318, 58656 ), ( 25413, 63045 ),
( 1128, 14737 ), ( 1541, 72018 ), ( 3525, 29201 ), ( 3145, 46983 ) ]
gap> # Here we have to ignore any fifth digit in the x-component which occurs.
gap> # Alice reads the message as "I’m nobody. Who are you?" which is the
gap> # first line of the following poem by Emily Dickinson:
and observe
√ that it is in Q. We also observe that for a = 0 we have x 2 − 2y 2 √
= 0,
x y
since 2 is irrational. Thus we have aa−1 = 1 for a −1 = x 2 −2y 2 − 2 2 2.
√ √ −1 √ √ x −2y√
4. In Q( √2) we will have (2 − 3) = 2 + 3. Further, x = (2 + 3)(1 + 3) =
5 + 3 3.
5. All standard linear algebra techniques for finding such a solution works: you can
find the solution by Gaussian elimination or by calculating the inverse of the
matrix of this system of linear equations. Here we show how this can be solved
with GAP:
gap> A:=[[3,1,4],[1,2,1],[4,1,4]];
[ [ 3, 1, 4 ], [ 1, 2, 1 ], [ 4, 1, 4 ] ]
gap> b:=[1,2,4];
[ 1, 2, 4 ]
gap> Determinant(A) mod 5;
3
# Hence the matrix is invertible.
gap> Aˆ-1 mod 5;
[ [ 4, 0, 1 ], [ 0, 2, 2 ], [ 1, 2, 0 ] ]
# The solution can now be calculated as
gap> Aˆ-1*b mod 5;
[ 3, 2, 0 ]
# Thus we have a unique solution x=3, y=2, z=0.
As the order of the sought element x is 972 · 1012 · 1032 we need to construct
elements x1 , x2 , x3 ∈ G of orders 972 , 1012 , 1032 , respectively. Since the orders
of g, h, k are 18 · 1012 , 14 · 972 , 12 · 1032 , we can take x1 = h 14 , x2 = g 18 ,
x3 = k 12 . Then x = x1 x2 x3 .
11.4 Solutions to Exercises of Chap. 4 299
We see that 58380 does not divide p − 1, hence by Corollary 3.2.3 an element of
this order cannot be in Z∗p .
Let us calculate ( p − 1)/11561 = 16680. Then ord (a 16680 ) = 11561 by
Lemma 4.2.4. So an element of order 11561 exists.
2. Let us divide n by m with remainder: n = qm + r with 0 ≤ r < m. Then
(b) Since g = 3 is a primitive element of Z17 all its powers of 3 in the following
table are different:
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
3n 3 9 10 13 5 15 11 16 14 8 7 4 12 2 6 1
n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
log3 (n) 16 14 1 12 5 15 11 10 2 3 7 13 4 9 6 8
3. Let us note first that by the definition of the discrete log we have g logg (x) = x. To
prove
logg (ab) = logg (a) + logg (b) mod p − 1 (11.4)
we take g, the primitive element to the power k = logg (ab) and to the power
m = logg (a) + logg (b) mod p − 1. Since all powers g i are different for i =
0, 1, . . . , p−2 we get g k = g m if and only if k = m since k, m ∈ {0, 1, . . . , p−2}.
Since g p−1 = 1 we have
gap> m:=[0,0,0,0,0,0,0];;
gap> for i in [1..7] do
> m[i]:=(c[i][2]*(PowerMod(c[i][1],kB,p))ˆ-1) mod p;
> od;
gap> m;
[ 19244117112225192941, 16191522142944411631, 22224125164116222533,
15282944412628192319, 30193215411522152315, 24302941141124131541,
16252841182531282943 ]
gap> # Which reads:"In Galois fields, full of flowers, primitive elements
gap> # dance for hours."
4x 2 + 2x
3x 2 + 2x + 1| 5x 4 + x 2 + 3x + 4
5x 4 + x3 + 4x 2
−x 3 − 3x 2 + 3x
−x 3 − 3x 2 − 5x
x +4
a 01234
f (a) 1 3 0 0 0
f (x) = (x + 1)(x 3 + x 2 + x + 1)
= (x + 1)(x + 2)(x 2 + 4x + 3)
= (x + 1)(x + 2)(x + 3)(x + 1)
= (x + 1)2 (x + 2)(x + 3).
This will be
(−3)(−4) (−1)(−4) (−1)(−3)
f (0) = 3 +2 +1 = 3.
(1 − 3)(1 − 4) (3 − 1)(3 − 4) (4 − 1)(4 − 3)
3 1
− 3 − 5 − = 6 − 3 − 5 − 2 = 6.
4 4
(Note that here 43 means: find the inverse of 4 in Z7 and multiply 3 by the result.)
Method 2: is to use linear algebra to determine the coefficients of the polynomial:
we must find a0 , a1 , a2 , a3 such that
11.5 Solutions to Exercises of Chap. 5 303
⎡ ⎤⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤
1 1 12 13 a0 1 1 1 1 a0 3
⎢ 1 2 22 23 ⎥ ⎢ a1 ⎥ ⎢ 1 2 4 1⎥ ⎢ a1 ⎥ ⎢ 2 ⎥
⎢ ⎥⎢ ⎥ = ⎢ ⎥⎢ ⎥ = ⎢ ⎥
⎣ 1 3 32 33 ⎦ ⎣ a2 ⎦ ⎣ 1 3 2 6 ⎦ ⎣ a2 ⎦ ⎣ 2 ⎦
1 5 52 53 a3 1 5 4 6 a3 1
The constant term is 6, as before. We also have all the other coefficients of our
polynomial: f (x) = x 3 + 5x 2 + 5x + 6 (but only the constant term of the
polynomial was required).
4. This can be done by the following GAP command
gap> InterpolatedPolynomial( Integers, [ 1, 2, 3, 5 ], [ 5, 7, 0, 3 ] ) mod 13;
4*x_1ˆ3+4*x_1ˆ2+x_1+9
x 2 + 1, x 2 + 2, x 2 + x + 1, x 2 + x + 2, x 2 + 2x + 1, x 2 + 2x + 2.
x 2 + 1, x 2 + x + 2, x 2 + 2x + 2 (11.5)
which are indeed irreducible, since it is easy to check that they have no roots in
Z3 .
3. Checking irreducibility of degree 3 polynomials only requires a search for roots.
However, with a degree 4 polynomial f each irreducible monic quadratic poly-
nomial must be checked as a potential factor of f . This entails compiling a list of
all of the irreducible quadratics first. For larger fields this will be time consuming.
4. (i) Since f (x) has no roots, it is irreducible.
(ii) As g(1) = 0, it has a root in Z3 . Hence g(x) is reducible.
(iii) We first determine that h(x) has no roots. Then, we check each of the three
monic reducible quadratics found in (11.5) as a potential factor by doing long
division. Since none of these monic polynomials divide h(x) (the details are
omitted), h(x) is irreducible.
5. We need to check if f (x) has divisors among the irreducible polynomials of
degree 1 and 2. As f (0) = f (1) = 1 = 0 it does not have linear factors. The
304 11 Solutions to Exercises
f (x) = x 5 + x 2 + 1 = (x 2 + x + 1)(x 3 + x 2 ) + 1.
x 7 + 1 = (x 3 + x 2 + x + 1)(x 4 + x 3 + 1) + (x 2 + x)
x 3 + x 2 + x + 1 = (x 2 + x)x + (x + 1)
x 2 + x = (x + 1)x.
Hence gcd( f, g)(x) = x + 1. Now let us perform the Extended Euclidean algo-
rithm:
x7 + 1 1 0
x3 + x2 + x + 1 0 1
x2 + x 1 x4 + x3 + 1
x +1 x x5 + x4 + x + 1
x5 + x3 + 1 1 0
x3 + x2 + x + 1 0 1
x2 1 x2 + x + 1
x +1 x +1 x3
1 x 2 x + x + x2 + x + 1
4 3
Thus (x 3 + x 2 + x + 1)−1 = x 4 + x 3 + x 2 + x + 1.
11.5 Solutions to Exercises of Chap. 5 305
(c) Let us calculate the powers of 2x + 1 and form the ‘logarithm table’
(e) There are φ(8) = 4 primitive elements in this field. They are: a = 1 + 2x,
a 3 = x, a 5 = 2 + x, a 7 = 2x.
3. (a) Straightforward calculation.
(b) Suppose that a is a multiple root of f (x). Then f (x) = g(x)(x − a)k , where
k ≥ 2. By the product rule
and a is also a root of the derivative. Hence it is also a root of gcd( f (x), f (x)).
n
(c) The polynomial f (x) = x p − x does not have multiple roots in any field
F of characteristic p > 0 since f (x) = −1 and f (x) is relatively prime to
f (x).
306 11 Solutions to Exercises
α0 = (1 + x + x 2 )0 = 1 → 1000
α1 = (1 + x + x 2 )1 = 1 + x + x3 → 1110
α2 = (1 + x + x 2 )2 = x + x2 → 0110
α3 = (1 + x + x 2 )3 = 1 → 1000
α4 = (1 + x + x 2 )4 = 1 + x + x2 → 1110
α0 = (1 + x)0 = 1 → 1000
α0 = (1 + x)1 = 1+x → 1100
α1 = (1 + x)2 = 1 + x2 → 1010
α2 = (1 + x)3 = 1 + x + x2 + x3 → 1111
α3 = (1 + x)4 = x → 0100
γ0 = x 0 = 1 → 1000
γ1 = x 5 = x + x 3 → 1101
γ 2 = x 10 = x + x 3 → 0101
These first three powers are already linearly dependent, so we don’t have to
compute any more powers. We don’t even need to use the Linear Dependency
Relationship Algorithm to find a linear dependency between these tuples. It
is obvious that γ 2 = 1 + γ, whence the minimal annihilating polynomial will
be f (t) = t 2 + t + 1 (because there can be no annihilating polynomials of
degree 1 as x ∈/ Z2 ).
(c) We can now calculate using the table:
Thus
(x 100 + x + 1)(x 3 + x 2 + x + 1)15 + x 3 + x + 1 = x.
4. (a) Elements Z (24 )5 and Z (24 )10 are not listed in the same form as the other
powers of Z (24 ) because Z (24 )5 = Z (22 ) and Z (24 )10 = Z (22 )2 , i.e., they
are elements of the subfield GF(22 ).
(b) We generate GF(24 ) as follows and denote for brevity Z (24 )7 as a:
gap> F:=GaloisField(2ˆ4);
GF(2ˆ4)
gap> e:=Elements(F);
[ 0*Z(2), Z(2)ˆ0, Z(2ˆ2), Z(2ˆ2)ˆ2, Z(2ˆ4), Z(2ˆ4)ˆ2, Z(2ˆ4)ˆ3, Z(2ˆ4)ˆ4,
Z(2ˆ4)ˆ6, Z(2ˆ4)ˆ7, Z(2ˆ4)ˆ8, Z(2ˆ4)ˆ9, Z(2ˆ4)ˆ11, Z(2ˆ4)ˆ12, Z(2ˆ4)ˆ13,
Z(2ˆ4)ˆ14 ]
gap> a:=e[10];
Z(2ˆ4)ˆ7
1. {3, 4}, {1, 2, 3}, {1, 3, 4}, {2, 3, 4}, {1, 2, 3, 4}.
2. {1, 2}, {3,
4, 5},
{1, 3, 4}, {1, 3, 5}, {1, 4, 5}, {2, 3, 4}, {2, 3, 5}, {2, 4, 5}.
3. There are 10 4 = 210 minimal authorised coalitions.
4. We will prove only (a) since (b) is similar. All we need to show is the monotone
property. Suppose X, Y are both subsets of U , X ⊆ Y , and X ∈ 1 + 2 . Then
X ∩ U1 ∈ 1 or X ∩ U2 ∈ 2 and we suppose that the former is true. But then
Y ∩ U1 ⊇ X ∩ U1 ∈ 1 and Y ∩ U1 ∈ 1 due to the fact that 1 is monotonic.
Hence Y ∈ 1 + 2 .
5. Suppose X ∈ and Y ⊇ X . Then by the definition X c ∈ / and Y c ⊆ X c and,
due to the monotonic property, Y ∈ c / , hence Y ∈ .
= 4(x + 1)(x + 3) = 4x 2 + 2x + 5.
2. GAP helps us to find the interpolation polynomial. Then we calculate the constant
term, substituting 0 into it:
gap> f:=InterpolatedPolynomial(GF(31),[1,5,7],[16,7,22]);
Z(31)ˆ29*x_1ˆ2+Z(31)ˆ4*x_1+Z(31)ˆ28
gap> Int(Value(f,0));
7
So the secret is 7.
310 11 Solutions to Exercises
Hence the secret is 55 and the cards of the two remaining board members are
likely to be
3 5
96 4
s1 s2 f {1,2} (s1 , s2 )
0 0 0
1 0 1
0 1 1
1 1 0
0 2 1
2 0 1
1 2 1
2 1 1
2 2 0
If b = a and c = 0 it is nonzero. The implications are that the coalitions {1, 2, 4},
{1, 2, 5}, {1, 2, 6}, {1, 3, 4}, {1, 3, 5}, {1, 3, 6}, {2, 3, 4}, {2, 3, 5}, {2, 3, 6} are
minimal authorised. It remains to note that no coalition containing two of the
users 4, 5, 6 are minimal authorised: if it is, then one of these users can be
removed without losing the coalition (indeed their respective rows are multiples
of one another). Therefore the minimal authorised coalitions listed so far are all
minimal authorised coalitions.
3. See the next problem which is more general.
4. Let {1, 2, . . . , n} be a set of users. For a linear secret sharing scheme with matrix
H with rows h0 , h1 , . . . , hn a coalition {i 1 , i 2 , . . . , i k } is authorised if h0 —which
is normally taken to be (1, 0, . . . , 0)—is in the span of hi1 , . . . , hik .
It is immediate that {1, 2} and {3, 4, 5} are authorized
for any distinct non-zero
1 a
1
a1 , a2 , a3 , a4 , a5 . Indeed, the determinant = 0, hence (1, 0) = x1 (1, a1 )+
1 a2
x2 (1, a2 ). But then (1, 0, 0) = x1 (1, a1 , 0) + x2 (1, a2 , 0) too. Also
1 a3 a 2
3
1 a4 a42 = 0,
1 a5 a 2
5
for i, j ∈ {3, 4, 5}. Expanding D using cofactors of the first row we will get
ai a 2 1 a
i i
D= = ai a j = ai a j (a j − ai ) = 0.
a j a 2j 1 aj
312 11 Solutions to Exercises
Coalitions {i, j, k}, where i ∈ {1, 2} and j, k ∈ {3, 4, 5} may or may not be autho-
rized depending on the values a1 , a2 , a3 , a4 , a5 . To find out the exact condition
when {i, j, k} is authorized, let us consider the determinant
1 a 0
b b2 1 b2
1 b b2 = 2 − a 2 = bc(c − b) − a(c2 − b2 ).
c c 1 c
1 c c2
bc
Thus this determinant is zero if and only if a = .
b+c
Now let us consider the coalition {i, j, k}, where i ∈ {1, 2} and j, k ∈ {3, 4, 5}.
If hi ∈ Span{h j , hk }, then we know that this coalition is not authorized since h0 ,
as we know, is not in Span{h j , hk }. On the other hand, if hi ∈ / Span{h j , hk }, then
{hi , h j , hk } forms a basis of R3 , h0 is in the span of this set and the coalition
{i, j, k} is authorized. So coalition {i, j, k} is authorized if and only if ai =
a j ak
.
a j + ak
5. (a) Let us try A first. We will apply the Linear Dependency Relationship Algo-
rithm. Consider the matrix
⎡ ⎤
1 1 11 1
⎢2 3 5 0⎥
H = [ h1T h2T h3T e1T ] = ⎢
⎣3 3 2 0⎦.
⎥
00 0 0
00 0 0
We may stop row reducing here. As the last column contains a pivot, e1 is
not a linear combination of h1 , h2 , h3 . So A is not authorized.
Let us now try B. Consider the matrix
⎡ ⎤
1 0 0 1
⎢ 2 1 6 0⎥
H = [ h1T h4T h5T e1T ] = ⎢
⎣3
⎥.
1 1 0⎦
0 2 1 0
where t is the target vector which is the top row of matrix S. Let mi = (ci , mi )
and n j = (d j , nj ). Then
s
t
βi mi = δ j nj = 0
i=1 j=1
s
t
βi ci = δ j d j = 0,
i=1 j=1
from which
s
t
βi mi = δ j n j = 0,
i=1 j=1
a contradiction.
(b) The matrix P such that P = M × N can be constructed as follows
⎡ ⎤
1 0 0
P = ⎣ M M1 0 ⎦ .
0 N1 N−1
1. (i) If C is authorised, then their shares are compatible with only one value of a
secret, hence #TC = #TC .
(ii) If C is not authorised, then, since the scheme is perfect, their shares are
compatible with any of the q secrets, hence #TC = q · #TC .
3. (i) Follow the argument in Example 6.2.6.
(ii) Let A be a maximal authorised coalition and A = A ∪ {0}. Then arguing as
in Example 6.2.6 we can prove that #T A = q 2 . Suppose A = U , then, due to
connectedness, we will have i ∈ A and j ∈ / A such that {i, j} is authorised. Let
us fix a share si . Then, as in the proof of Theorem 6.2.3, we obtain a one-to-one
correspondence between S0 and S j . Hence the secret s and si uniquely determine
s j . This implies that #T A ∪{ j} = q 2 which contradicts the maximality of A.
(iii) Due to (ii) we have #T{i, j} = q or #T{i, j} = q 2 . Let us prove that the second
option cannot happen. Take any two shares si and s j . Since {i, j} is not authorised,
we have at least q rows in T containing si and s j (as there must be such a row
for every secret s). This implies #T{i, j} = q.
(iv) This follows from (iv) since #T{i, j} = #T{ j,k} = q implies #T{i,k} = q.
(v) From (iv) we deduce that the relation
i ≡ j ⇐⇒ {i, j} ∈
/ min
E + c0 = {c + c0 | c ∈ E}
11.7 Solutions to Exercises of Chap. 7 317
consists of codewords of odd length and its cardinality is the same as the cardi-
nality of E. Let us show that every codeword with an odd Hamming weight is in
E + c0 . Let d be such a codeword. Then d + c0 is also a codeword and has an
even Hamming weight, that is, d + c0 = c ∈ E. But then d = c + c0 ∈ E + c0 .
E(a) = (a1 , a2 , a3 , a1 + a2 + a4 , a2 + a3 , a1 + a3 + a4 , a4 )
= a1 (1, 0, 0, 1, 0, 1, 0) + a2 (0, 1, 0, 1, 1, 0, 0) + a3 (0, 0, 1, 0, 1, 1, 0)
+ a4 (0, 0, 0, 1, 0, 1, 1)
⎡ ⎤⎡ ⎤
1 001010 a1
⎢ 0 1 0 1 1 0 0 ⎥ ⎢ a2 ⎥
=⎣⎢ ⎥ ⎢ ⎥ = Ga.
0 0 1 0 1 1 0 ⎦ ⎣ a3 ⎦
(0 0 0 1 0 1 1 a4
2. Straightforward.
3. It is known from Linear Algebra that elementary row operations performed on G
do not change the row-space of G, which is exactly the set of codewords.
4. (a) (1 1 1)G = (1 0 0 . . .), hence it is not systematic as the first three coordinates
do not represent the message.
(b) We row reduce G as follows using only elementary row operations:
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
101010 101010 101010
G = ⎣1 1 0 0 1 1⎦ → ⎣0 1 1 0 0 1⎦ → ⎣0 1 1 0 0 1⎦
111000 010010 001011
⎡ ⎤
100001
→ ⎣0 1 0 0 1 0⎦.
001011
The latter is the generator matrix of a systematic code C2 . The codewords are
the rows of the following matrix:
⎡ ⎤
0 0 0 0 0 0
⎢1 0 0 0 0 1⎥
⎢ ⎥
⎢0 1 0 0 1 0⎥
⎢ ⎥
⎢0 0 1 0 1 1⎥
⎢ ⎥.
⎢1 1 0 0 1 1⎥
⎢ ⎥
⎢1 0 1 0 1 0⎥
⎢ ⎥
⎣0 1 1 0 0 1⎦
1 1 1 0 0 0
The latest matrix is already in the reduced row echelon form with columns 1, 3
and 4 being pivotal.
x1 = x2 + 2x5
x3 = 2x5
x4 = 2x5
(b) Apart from these two, there are seven other vectors in NS( A), namely
0 = (0 0 0 0 0),
2f1 = (2 2 0 0 0),
2f2 = (1 0 1 1 2),
f1 + f2 = (0 1 2 2 1),
f1 + 2f2 = (2 1 1 1 2),
2f1 + f2 = (1 2 2 2 1),
2f1 + 2f2 = (0 2 1 1 2).
(c) We have wt(f1 ) = wt(2f1 ) = 2. These are the two vectors which have the
minimum Hamming weight, which is 2.
2. (a) Let us row reduce the parity check matrix to the form (A | I4 ):
⎡ ⎤ ⎡ ⎤
001 1 101 00 1 100 0
⎢0 1 0 1 0 1 1⎥ ⎢ 0⎥
⎢
H =⎣ ⎥ −→ ⎢ 1 1 1 010 ⎥.
100 0 1 1 1⎦ ⎣1 0 0 001 0⎦
111 1 110 11 1 000 1
11.7 Solutions to Exercises of Chap. 7 319
Hence b = (1 0 1 0 1 0 0 1).
2. The matrix G has 5 rows and 8 columns:
⎡ ⎤
1101 0000
⎢0 1 1 0 1 0 0 0⎥
⎢ ⎥
G=⎢ ⎢0 0 1 1 0 1 0 0⎥
⎥.
⎣0 0 0 1 1 0 1 0⎦
0000 1101
3. Row reducing, we find a matrix G for a systematic code with the same minimum
distance:
⎡ ⎤
10000001
⎢0 1 0 0 0 1 1 0⎥
⎢ ⎥
G→G =⎢ ⎢0 0 1 0 0 0 1 1⎥.
⎥
⎣0 0 0 1 0 1 1 1⎦
00001101
1. (a) This binary BCH code C has parameters n = 15 (length of codewords) and
d = 7 (minimum distance). We have to choose a primitive element α of K ,
then the generating polynomial of the code C will be given by a formula
x 4 + x 3 + 1 = (x 2 + 1)(x 2 + x + 1) + x.
322 11 Solutions to Exercises
γ0 = x 0 = 1 → 1000
1 5 3
γ =x = x+x → 1101
γ 2 = x 10 = x + x 3 → 0101
These first three powers are already linearly dependent, so we don’t have to
compute any more powers. We don’t even need to use the Linear Dependency
Relationship Algorithm to find a linear dependency between these tuples. It
is obvious that γ 2 = 1 + γ, whence the minimal annihilating polynomial will
be f (t) = t 2 + t + 1 (because there can be no annihilating polynomials of
degree 1 as x ∈/ Z2 ). We can now calculate
gap> a:=elts[17];
Z(2ˆ8)
gap> m1:=MinimalPolynomial(GF(2),a);
x_1ˆ8+x_1ˆ4+x_1ˆ3+x_1ˆ2+Z(2)ˆ0
gap> m3:=MinimalPolynomial(GF(2),aˆ3);
x_1ˆ8+x_1ˆ6+x_1ˆ5+x_1ˆ4+x_1ˆ2+x_1+Z(2)ˆ0
gap> m5:=MinimalPolynomial(GF(2),aˆ5);
x_1ˆ8+x_1ˆ7+x_1ˆ6+x_1ˆ5+x_1ˆ4+x_1+Z(2)ˆ0
gap> g(x)=m1*m3*m5;
x_1ˆ24+x_1ˆ23+x_1ˆ21+x_1ˆ20+x_1ˆ19+x_1ˆ17+x_1ˆ16+x_1ˆ15+x_1ˆ13+x_1ˆ8+x_1ˆ7+
x_1ˆ5+x_1ˆ4+x_1ˆ2+Z(2)ˆ0
g(x) = x 24 + x 23 + x 21 + x 20 + x 19 + x 17 + x 16 + x 15 + x 13 + x 8 + x 7 + x 5 + x 4 + x 2 + 1.
1. No, the second column is twice the first column and the first column is the same
as the last column.
2. Let us row reduce
⎡ ⎤ ⎡ ⎤
121211 121211
H2 = ⎣ 1 2 1 0 2 2 ⎦ −→ ⎣ 1 2 1 0 2 2 ⎦ −→
210101 001012
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
212122 12110 0 12110 0
⎣ 1 2 1 0 2 2 ⎦ −→ ⎣ 1 2 1 0 2 2 ⎦ −→ ⎣ 2 1 2 0 1 1 ⎦ −→
001012 00101 2 00101 2
⎡ ⎤ ⎡ ⎤
12110 0 121 100
⎣2 1 2 0 1 1 ⎦ −→ ⎣ 1 2 0 0 1 0 ⎦ = (A | I3 ).
12200 1 122 001
3. Decoding y we calculate
⎡ ⎤
2
H yT = ⎣ 2 ⎦ = 2h3 .
0
11.7 Solutions to Exercises of Chap. 7 325
Hence the error vector was (0 0 2 0 0 0) and the codevector sent was
(0 2 0 2 2 2). Hence the message was (0 2 0).
x1 = (1 1 1 0 0 0 2 2 2),
x2 = (1 1 2 2 0 0 1 1 2),
x3 = (1 2 2 0 2 0 1 2 0).
326 11 Solutions to Exercises
2. For example,
3. In the ith coordinate of a descendant we can find any element from Pi (X ) and they
can be chosen independently of each other. Hence the total number of descendants
is m 1 · . . . · m n .
c1 = (1 1 1 1 1 1),
c2 = (2 2 2 2 2 2),
c3 = (3 3 3 3 3 3),
c4 = (1 2 3 1 2 3),
c5 = (2 3 1 2 3 1),
c6 = (3 1 2 3 1 2).
of degree 12. Being of length 16, it will have distance 13 and have 12 check
symbols and 4 information symbols, hence 74 = 83521 codewords. Since
1 1 1 1 1 1 1 1 1 1 1 1 1 1
+ + + + + + + + + = +5· + +2· = 1.
22 23 23 23 23 23 24 25 22 25 4 8 16 32
1. We separate the first four bits 0010 of ψ(y), this is the prefix and we discover
that wt (y) = 2. From the remaining part we see that the number N (y) of y in the
orbit is 11110(2) = 30. From Pascal’s triangle we solve the equation
15 − n 1 15 − n 2
+ = N (y) = 30
2 1
by finding
15 − n 1 8 15 − n 2 2
= 28 = , =2= .
2 2 1 1